<!DOCTYPE html>
<html dir='ltr' lang='en-GB'>
<head>
<meta content='width=device-width, initial-scale=1' name='viewport'/>
<title>Detecting Linux Anti-Forensics Log Tampering</title>
<meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/>
<!-- Chrome, Firefox OS and Opera -->
<meta content='#b489e9' name='theme-color'/>
<!-- Windows Phone -->
<meta content='#b489e9' name='msapplication-navbutton-color'/>
<meta content='blogger' name='generator'/>
<link href='https://www.inversecos.com/favicon.ico' rel='icon' type='image/x-icon'/>
<link href='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' rel='canonical'/>
<link rel="alternate" type="application/atom+xml" title="InverseCos - Atom" href="https://www.inversecos.com/feeds/posts/default" />
<link rel="alternate" type="application/rss+xml" title="InverseCos - RSS" href="https://www.inversecos.com/feeds/posts/default?alt=rss" />
<link rel="service.post" type="application/atom+xml" title="InverseCos - Atom" href="https://www.blogger.com/feeds/4913778223018726354/posts/default" />

<link rel="alternate" type="application/atom+xml" title="InverseCos - Atom" href="https://www.inversecos.com/feeds/8350766800150925637/comments/default" />
<!--Can't find substitution for tag [blog.ieCssRetrofitLinks]-->
<link href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9_nLzfqraZb2qdaZP3pw9FnzRwStVKBX3FWoGqaCxtTzkzM_vXn2utPncfIyL7v38Pb39ggaycVs7h83LSuS0_4Otx2f0cPnnXw6RTyxSxSDbQwX0OQglt-4oush9XyknHY2A7xG3-BQAbOl80n0rcMTExHwdT3eH1nYX7D_vZcJW4iFAd1GUAgaKqw/s16000/4.png' rel='image_src'/>
<meta content='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' property='og:url'/>
<meta content='Detecting Linux Anti-Forensics Log Tampering' property='og:title'/>
<meta content='' property='og:description'/>
<meta content='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9_nLzfqraZb2qdaZP3pw9FnzRwStVKBX3FWoGqaCxtTzkzM_vXn2utPncfIyL7v38Pb39ggaycVs7h83LSuS0_4Otx2f0cPnnXw6RTyxSxSDbQwX0OQglt-4oush9XyknHY2A7xG3-BQAbOl80n0rcMTExHwdT3eH1nYX7D_vZcJW4iFAd1GUAgaKqw/w1200-h630-p-k-no-nu/4.png' property='og:image'/>
<style type='text/css'>@font-face{font-family:'Roboto';font-style:italic;font-weight:300;src:url(//fonts.gstatic.com/s/roboto/v30/KFOjCnqEu92Fr1Mu51TjASc3CsTKlA.woff2)format('woff2');unicode-range:U+0460-052F,U+1C80-1C88,U+20B4,U+2DE0-2DFF,U+A640-A69F,U+FE2E-FE2F;}@font-face{font-family:'Roboto';font-style:italic;font-weight:300;src:url(//fonts.gstatic.com/s/roboto/v30/KFOjCnqEu92Fr1Mu51TjASc-CsTKlA.woff2)format('woff2');unicode-range:U+0301,U+0400-045F,U+0490-0491,U+04B0-04B1,U+2116;}@font-face{font-family:'Roboto';font-style:italic;font-weight:300;src:url(//fonts.gstatic.com/s/roboto/v30/KFOjCnqEu92Fr1Mu51TjASc2CsTKlA.woff2)format('woff2');unicode-range:U+1F00-1FFF;}@font-face{font-family:'Roboto';font-style:italic;font-weight:300;src:url(//fonts.gstatic.com/s/roboto/v30/KFOjCnqEu92Fr1Mu51TjASc5CsTKlA.woff2)format('woff2');unicode-range:U+0370-03FF;}@font-face{font-family:'Roboto';font-style:italic;font-weight:300;src:url(//fonts.gstatic.com/s/roboto/v30/KFOjCnqEu92Fr1Mu51TjASc1CsTKlA.woff2)format('woff2');unicode-range:U+0102-0103,U+0110-0111,U+0128-0129,U+0168-0169,U+01A0-01A1,U+01AF-01B0,U+1EA0-1EF9,U+20AB;}@font-face{font-family:'Roboto';font-style:italic;font-weight:300;src:url(//fonts.gstatic.com/s/roboto/v30/KFOjCnqEu92Fr1Mu51TjASc0CsTKlA.woff2)format('woff2');unicode-range:U+0100-024F,U+0259,U+1E00-1EFF,U+2020,U+20A0-20AB,U+20AD-20CF,U+2113,U+2C60-2C7F,U+A720-A7FF;}@font-face{font-family:'Roboto';font-style:italic;font-weight:300;src:url(//fonts.gstatic.com/s/roboto/v30/KFOjCnqEu92Fr1Mu51TjASc6CsQ.woff2)format('woff2');unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:url(//fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu72xKOzY.woff2)format('woff2');unicode-range:U+0460-052F,U+1C80-1C88,U+20B4,U+2DE0-2DFF,U+A640-A69F,U+FE2E-FE2F;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:url(//fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu5mxKOzY.woff2)format('woff2');unicode-range:U+0301,U+0400-045F,U+0490-0491,U+04B0-04B1,U+2116;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:url(//fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu7mxKOzY.woff2)format('woff2');unicode-range:U+1F00-1FFF;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:url(//fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4WxKOzY.woff2)format('woff2');unicode-range:U+0370-03FF;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:url(//fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu7WxKOzY.woff2)format('woff2');unicode-range:U+0102-0103,U+0110-0111,U+0128-0129,U+0168-0169,U+01A0-01A1,U+01AF-01B0,U+1EA0-1EF9,U+20AB;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:url(//fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu7GxKOzY.woff2)format('woff2');unicode-range:U+0100-024F,U+0259,U+1E00-1EFF,U+2020,U+20A0-20AB,U+20AD-20CF,U+2113,U+2C60-2C7F,U+A720-A7FF;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:url(//fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxK.woff2)format('woff2');unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD;}@font-face{font-family:'Roboto';font-style:normal;font-weight:700;src:url(//fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmWUlfCRc4EsA.woff2)format('woff2');unicode-range:U+0460-052F,U+1C80-1C88,U+20B4,U+2DE0-2DFF,U+A640-A69F,U+FE2E-FE2F;}@font-face{font-family:'Roboto';font-style:normal;font-weight:700;src:url(//fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmWUlfABc4EsA.woff2)format('woff2');unicode-range:U+0301,U+0400-045F,U+0490-0491,U+04B0-04B1,U+2116;}@font-face{font-family:'Roboto';font-style:normal;font-weight:700;src:url(//fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmWUlfCBc4EsA.woff2)format('woff2');unicode-range:U+1F00-1FFF;}@font-face{font-family:'Roboto';font-style:normal;font-weight:700;src:url(//fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmWUlfBxc4EsA.woff2)format('woff2');unicode-range:U+0370-03FF;}@font-face{font-family:'Roboto';font-style:normal;font-weight:700;src:url(//fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmWUlfCxc4EsA.woff2)format('woff2');unicode-range:U+0102-0103,U+0110-0111,U+0128-0129,U+0168-0169,U+01A0-01A1,U+01AF-01B0,U+1EA0-1EF9,U+20AB;}@font-face{font-family:'Roboto';font-style:normal;font-weight:700;src:url(//fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmWUlfChc4EsA.woff2)format('woff2');unicode-range:U+0100-024F,U+0259,U+1E00-1EFF,U+2020,U+20A0-20AB,U+20AD-20CF,U+2113,U+2C60-2C7F,U+A720-A7FF;}@font-face{font-family:'Roboto';font-style:normal;font-weight:700;src:url(//fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmWUlfBBc4.woff2)format('woff2');unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD;}</style>
<style id='page-skin-1' type='text/css'><!--
/*! normalize.css v8.0.0 | MIT License | github.com/necolas/normalize.css */html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}h1{font-size:2em;margin:.67em 0}hr{box-sizing:content-box;height:0;overflow:visible}pre{font-family:monospace,monospace;font-size:1em}a{background-color:transparent}abbr[title]{border-bottom:none;text-decoration:underline;text-decoration:underline dotted}b,strong{font-weight:bolder}code,kbd,samp{font-family:monospace,monospace;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}img{border-style:none}button,input,optgroup,select,textarea{font-family:inherit;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,[type="button"],[type="reset"],[type="submit"]{-webkit-appearance:button}button::-moz-focus-inner,[type="button"]::-moz-focus-inner,[type="reset"]::-moz-focus-inner,[type="submit"]::-moz-focus-inner{border-style:none;padding:0}button:-moz-focusring,[type="button"]:-moz-focusring,[type="reset"]:-moz-focusring,[type="submit"]:-moz-focusring{outline:1px dotted ButtonText}fieldset{padding:.35em .75em .625em}legend{box-sizing:border-box;color:inherit;display:table;max-width:100%;padding:0;white-space:normal}progress{vertical-align:baseline}textarea{overflow:auto}[type="checkbox"],[type="radio"]{box-sizing:border-box;padding:0}[type="number"]::-webkit-inner-spin-button,[type="number"]::-webkit-outer-spin-button{height:auto}[type="search"]{-webkit-appearance:textfield;outline-offset:-2px}[type="search"]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details{display:block}summary{display:list-item}template{display:none}[hidden]{display:none}
/*!************************************************
* Blogger Template Style
* Name: Essential
**************************************************/
body{
overflow-wrap:break-word;
word-break:break-word;
word-wrap:break-word
}
.hidden{
display:none
}
.invisible{
visibility:hidden
}
.container:after,.float-container:after{
clear:both;
content:"";
display:table
}
.clearboth{
clear:both
}
#comments .comment .comment-actions,.subscribe-popup .FollowByEmail .follow-by-email-submit,.widget.Profile .profile-link,.widget.Profile .profile-link.visit-profile{
background:transparent;
border:0;
box-shadow:none;
color:#7b1fa2;
cursor:pointer;
font-size:14px;
font-weight:700;
outline:none;
text-decoration:none;
text-transform:uppercase;
width:auto
}
.dim-overlay{
height:100vh;
left:0;
position:fixed;
top:0;
width:100%
}
#sharing-dim-overlay{
background-color:transparent
}
input::-ms-clear{
display:none
}
.blogger-logo,.svg-icon-24.blogger-logo{
fill:#ff9800;
opacity:1
}
.loading-spinner-large{
-webkit-animation:mspin-rotate 1568.63ms linear infinite;
animation:mspin-rotate 1568.63ms linear infinite;
height:48px;
overflow:hidden;
position:absolute;
width:48px;
z-index:200
}
.loading-spinner-large>div{
-webkit-animation:mspin-revrot 5332ms steps(4) infinite;
animation:mspin-revrot 5332ms steps(4) infinite
}
.loading-spinner-large>div>div{
-webkit-animation:mspin-singlecolor-large-film 1333ms steps(81) infinite;
animation:mspin-singlecolor-large-film 1333ms steps(81) infinite;
background-size:100%;
height:48px;
width:3888px
}
.mspin-black-large>div>div,.mspin-grey_54-large>div>div{
background-image:url(https://www.blogblog.com/indie/mspin_black_large.svg)
}
.mspin-white-large>div>div{
background-image:url(https://www.blogblog.com/indie/mspin_white_large.svg)
}
.mspin-grey_54-large{
opacity:.54
}
@-webkit-keyframes mspin-singlecolor-large-film{
0%{
-webkit-transform:translateX(0);
transform:translateX(0)
}
to{
-webkit-transform:translateX(-3888px);
transform:translateX(-3888px)
}
}
@keyframes mspin-singlecolor-large-film{
0%{
-webkit-transform:translateX(0);
transform:translateX(0)
}
to{
-webkit-transform:translateX(-3888px);
transform:translateX(-3888px)
}
}
@-webkit-keyframes mspin-rotate{
0%{
-webkit-transform:rotate(0deg);
transform:rotate(0deg)
}
to{
-webkit-transform:rotate(1turn);
transform:rotate(1turn)
}
}
@keyframes mspin-rotate{
0%{
-webkit-transform:rotate(0deg);
transform:rotate(0deg)
}
to{
-webkit-transform:rotate(1turn);
transform:rotate(1turn)
}
}
@-webkit-keyframes mspin-revrot{
0%{
-webkit-transform:rotate(0deg);
transform:rotate(0deg)
}
to{
-webkit-transform:rotate(-1turn);
transform:rotate(-1turn)
}
}
@keyframes mspin-revrot{
0%{
-webkit-transform:rotate(0deg);
transform:rotate(0deg)
}
to{
-webkit-transform:rotate(-1turn);
transform:rotate(-1turn)
}
}
.skip-navigation{
background-color:#fff;
box-sizing:border-box;
color:#000;
display:block;
height:0;
left:0;
line-height:50px;
overflow:hidden;
padding-top:0;
position:fixed;
text-align:center;
top:0;
-webkit-transition:box-shadow .3s,height .3s,padding-top .3s;
transition:box-shadow .3s,height .3s,padding-top .3s;
width:100%;
z-index:900
}
.skip-navigation:focus{
box-shadow:0 4px 5px 0 rgba(0,0,0,.14),0 1px 10px 0 rgba(0,0,0,.12),0 2px 4px -1px rgba(0,0,0,.2);
height:50px
}
#main{
outline:none
}
.main-heading{
position:absolute;
clip:rect(1px,1px,1px,1px);
padding:0;
border:0;
height:1px;
width:1px;
overflow:hidden
}
.Attribution{
margin-top:1em;
text-align:center
}
.Attribution .blogger img,.Attribution .blogger svg{
vertical-align:bottom
}
.Attribution .blogger img{
margin-right:.5em
}
.Attribution div{
line-height:24px;
margin-top:.5em
}
.Attribution .copyright,.Attribution .image-attribution{
font-size:.7em;
margin-top:1.5em
}
.BLOG_mobile_video_class{
display:none
}
.bg-photo{
background-attachment:scroll!important
}
body .CSS_LIGHTBOX{
z-index:900
}
.extendable .show-less,.extendable .show-more{
border-color:#7b1fa2;
color:#7b1fa2;
margin-top:8px
}
.extendable .show-less.hidden,.extendable .show-more.hidden,.inline-ad{
display:none
}
.inline-ad{
max-width:100%;
overflow:hidden
}
.adsbygoogle{
display:block
}
#cookieChoiceInfo{
bottom:0;
top:auto
}
iframe.b-hbp-video{
border:0
}
.post-body iframe,.post-body img{
max-width:100%
}
.post-body a[imageanchor=\31]{
display:inline-block
}
.byline{
margin-right:1em
}
.byline:last-child{
margin-right:0
}
.link-copied-dialog{
max-width:520px;
outline:0
}
.link-copied-dialog .modal-dialog-buttons{
margin-top:8px
}
.link-copied-dialog .goog-buttonset-default{
background:transparent;
border:0
}
.link-copied-dialog .goog-buttonset-default:focus{
outline:0
}
.paging-control-container{
margin-bottom:16px
}
.paging-control-container .paging-control{
display:inline-block
}
.paging-control-container .comment-range-text:after,.paging-control-container .paging-control{
color:#7b1fa2
}
.paging-control-container .comment-range-text,.paging-control-container .paging-control{
margin-right:8px
}
.paging-control-container .comment-range-text:after,.paging-control-container .paging-control:after{
content:"\b7";
cursor:default;
padding-left:8px;
pointer-events:none
}
.paging-control-container .comment-range-text:last-child:after,.paging-control-container .paging-control:last-child:after{
content:none
}
.byline.reactions iframe{
height:20px
}
.b-notification{
color:#000;
background-color:#fff;
border-bottom:1px solid #000;
box-sizing:border-box;
padding:16px 32px;
text-align:center
}
.b-notification.visible{
-webkit-transition:margin-top .3s cubic-bezier(.4,0,.2,1);
transition:margin-top .3s cubic-bezier(.4,0,.2,1)
}
.b-notification.invisible{
position:absolute
}
.b-notification-close{
position:absolute;
right:8px;
top:8px
}
.no-posts-message{
line-height:40px;
text-align:center
}
@media screen and (max-width:800px){
body.item-view .post-body a[imageanchor=\31][style*=float\:\ left\;],body.item-view .post-body a[imageanchor=\31][style*=float\:\ right\;]{
float:none!important;
clear:none!important
}
body.item-view .post-body a[imageanchor=\31] img{
display:block;
height:auto;
margin:0 auto
}
body.item-view .post-body>.separator:first-child>a[imageanchor=\31]:first-child{
margin-top:20px
}
.post-body a[imageanchor]{
display:block
}
body.item-view .post-body a[imageanchor=\31]{
margin-left:0!important;
margin-right:0!important
}
body.item-view .post-body a[imageanchor=\31]+a[imageanchor=\31]{
margin-top:16px
}
}
.item-control{
display:none
}
#comments{
border-top:1px dashed rgba(0,0,0,.54);
margin-top:20px;
padding:20px
}
#comments .comment-thread ol{
margin:0;
padding-left:0;
padding-left:0
}
#comments .comment-thread .comment-replies,#comments .comment .comment-replybox-single{
margin-left:60px
}
#comments .comment-thread .thread-count{
display:none
}
#comments .comment{
list-style-type:none;
padding:0 0 30px;
position:relative
}
#comments .comment .comment{
padding-bottom:8px
}
.comment .avatar-image-container{
position:absolute
}
.comment .avatar-image-container img{
border-radius:50%
}
.avatar-image-container svg,.comment .avatar-image-container .avatar-icon{
border-radius:50%;
border:1px solid #414141;
box-sizing:border-box;
fill:#414141;
height:35px;
margin:0;
padding:7px;
width:35px
}
.comment .comment-block{
margin-top:10px;
margin-left:60px;
padding-bottom:0
}
#comments .comment-author-header-wrapper{
margin-left:40px
}
#comments .comment .thread-expanded .comment-block{
padding-bottom:20px
}
#comments .comment .comment-header .user,#comments .comment .comment-header .user a{
color:#000000;
font-style:normal;
font-weight:700
}
#comments .comment .comment-actions{
bottom:0;
margin-bottom:15px;
position:absolute
}
#comments .comment .comment-actions>*{
margin-right:8px
}
#comments .comment .comment-header .datetime{
bottom:0;
display:inline-block;
font-size:13px;
font-style:italic;
margin-left:8px
}
#comments .comment .comment-footer .comment-timestamp a,#comments .comment .comment-header .datetime,#comments .comment .comment-header .datetime a{
color:rgba(0,0,0,.54)
}
#comments .comment .comment-content,.comment .comment-body{
margin-top:12px;
word-break:break-word
}
.comment-body{
margin-bottom:12px
}
#comments.embed[data-num-comments=\30]{
border:0;
margin-top:0;
padding-top:0
}
#comment-editor-src,#comments.embed[data-num-comments=\30] #comment-post-message,#comments.embed[data-num-comments=\30] div.comment-form>p,#comments.embed[data-num-comments=\30] p.comment-footer{
display:none
}
.comments .comments-content .loadmore.loaded{
max-height:0;
opacity:0;
overflow:hidden
}
.extendable .remaining-items{
height:0;
overflow:hidden;
-webkit-transition:height .3s cubic-bezier(.4,0,.2,1);
transition:height .3s cubic-bezier(.4,0,.2,1)
}
.extendable .remaining-items.expanded{
height:auto
}
.svg-icon-24,.svg-icon-24-button{
cursor:pointer;
height:24px;
width:24px;
min-width:24px
}
.touch-icon{
margin:-12px;
padding:12px
}
.touch-icon:active,.touch-icon:focus{
background-color:hsla(0,0%,60%,.4);
border-radius:50%
}
svg:not(:root).touch-icon{
overflow:visible
}
html[dir=rtl] .rtl-reversible-icon{
-webkit-transform:scaleX(-1);
transform:scaleX(-1)
}
.svg-icon-24-button,.touch-icon-button{
background:transparent;
border:0;
margin:0;
outline:none;
padding:0
}
.touch-icon-button .touch-icon:active,.touch-icon-button .touch-icon:focus{
background-color:transparent
}
.touch-icon-button:active .touch-icon,.touch-icon-button:focus .touch-icon{
background-color:hsla(0,0%,60%,.4);
border-radius:50%
}
.Profile .default-avatar-wrapper .avatar-icon{
border-radius:50%;
border:1px solid #414141;
box-sizing:border-box;
fill:#414141;
margin:0
}
.Profile .individual .default-avatar-wrapper .avatar-icon{
padding:25px
}
.Profile .individual .avatar-icon,.Profile .individual .profile-img{
height:120px;
width:120px
}
.Profile .team .default-avatar-wrapper .avatar-icon{
padding:8px
}
.Profile .team .avatar-icon,.Profile .team .default-avatar-wrapper,.Profile .team .profile-img{
height:40px;
width:40px
}
.snippet-container{
margin:0;
position:relative;
overflow:hidden
}
.snippet-fade{
bottom:0;
box-sizing:border-box;
position:absolute;
width:96px;
right:0
}
.snippet-fade:after{
content:"\2026";
float:right
}
.post-bottom{
-webkit-box-align:center;
align-items:center;
display:-webkit-box;
display:flex;
flex-wrap:wrap
}
.post-footer{
-webkit-box-flex:1;
flex:1 1 auto;
flex-wrap:wrap;
-webkit-box-ordinal-group:2;
order:1
}
.post-footer>*{
-webkit-box-flex:0;
flex:0 1 auto
}
.post-footer .byline:last-child{
margin-right:1em
}
.jump-link{
-webkit-box-flex:0;
flex:0 0 auto;
-webkit-box-ordinal-group:3;
order:2
}
.centered-top-container.sticky{
left:0;
position:fixed;
right:0;
top:0;
width:auto;
z-index:50;
-webkit-transition-property:opacity,-webkit-transform;
transition-property:opacity,-webkit-transform;
transition-property:transform,opacity;
transition-property:transform,opacity,-webkit-transform;
-webkit-transition-duration:.2s;
transition-duration:.2s;
-webkit-transition-timing-function:cubic-bezier(.4,0,.2,1);
transition-timing-function:cubic-bezier(.4,0,.2,1)
}
.centered-top-placeholder{
display:none
}
.collapsed-header .centered-top-placeholder{
display:block
}
.centered-top-container .Header .replaced h1,.centered-top-placeholder .Header .replaced h1{
display:none
}
.centered-top-container.sticky .Header .replaced h1{
display:block
}
.centered-top-container.sticky .Header .header-widget{
background:none
}
.centered-top-container.sticky .Header .header-image-wrapper{
display:none
}
.centered-top-container img,.centered-top-placeholder img{
max-width:100%
}
.collapsible{
-webkit-transition:height .3s cubic-bezier(.4,0,.2,1);
transition:height .3s cubic-bezier(.4,0,.2,1)
}
.collapsible,.collapsible>summary{
display:block;
overflow:hidden
}
.collapsible>:not(summary){
display:none
}
.collapsible[open]>:not(summary){
display:block
}
.collapsible:focus,.collapsible>summary:focus{
outline:none
}
.collapsible>summary{
cursor:pointer;
display:block;
padding:0
}
.collapsible:focus>summary,.collapsible>summary:focus{
background-color:transparent
}
.collapsible>summary::-webkit-details-marker{
display:none
}
.collapsible-title{
-webkit-box-align:center;
align-items:center;
display:-webkit-box;
display:flex
}
.collapsible-title .title{
-webkit-box-flex:1;
flex:1 1 auto;
-webkit-box-ordinal-group:1;
order:0;
overflow:hidden;
text-overflow:ellipsis;
white-space:nowrap
}
.collapsible-title .chevron-down,.collapsible[open] .collapsible-title .chevron-up{
display:block
}
.collapsible-title .chevron-up,.collapsible[open] .collapsible-title .chevron-down{
display:none
}
.flat-button{
font-weight:700;
text-transform:uppercase;
border-radius:2px;
padding:8px;
margin:-8px
}
.flat-button,.flat-icon-button{
cursor:pointer;
display:inline-block
}
.flat-icon-button{
background:transparent;
border:0;
outline:none;
margin:-12px;
padding:12px;
box-sizing:content-box;
line-height:0
}
.flat-icon-button,.flat-icon-button .splash-wrapper{
border-radius:50%
}
.flat-icon-button .splash.animate{
-webkit-animation-duration:.3s;
animation-duration:.3s
}
.overflowable-container{
max-height:44.8px;
overflow:hidden;
position:relative
}
.overflow-button{
cursor:pointer
}
#overflowable-dim-overlay{
background:transparent
}
.overflow-popup{
box-shadow:0 2px 2px 0 rgba(0,0,0,.14),0 3px 1px -2px rgba(0,0,0,.2),0 1px 5px 0 rgba(0,0,0,.12);
background-color:#ecdffa;
left:0;
max-width:calc(100% - 32px);
position:absolute;
top:0;
visibility:hidden;
z-index:101
}
.overflow-popup ul{
list-style:none
}
.overflow-popup .tabs li,.overflow-popup li{
display:block;
height:auto
}
.overflow-popup .tabs li{
padding-left:0;
padding-right:0
}
.overflow-button.hidden,.overflow-popup .tabs li.hidden,.overflow-popup li.hidden{
display:none
}
.pill-button{
background:transparent;
border:1px solid;
border-radius:12px;
cursor:pointer;
display:inline-block;
padding:4px 16px;
text-transform:uppercase
}
.ripple{
position:relative
}
.ripple>*{
z-index:1
}
.splash-wrapper{
bottom:0;
left:0;
overflow:hidden;
pointer-events:none;
position:absolute;
right:0;
top:0;
z-index:0
}
.splash{
background:#ccc;
border-radius:100%;
display:block;
opacity:.6;
position:absolute;
-webkit-transform:scale(0);
transform:scale(0)
}
.splash.animate{
-webkit-animation:ripple-effect .4s linear;
animation:ripple-effect .4s linear
}
@-webkit-keyframes ripple-effect{
to{
opacity:0;
-webkit-transform:scale(2.5);
transform:scale(2.5)
}
}
@keyframes ripple-effect{
to{
opacity:0;
-webkit-transform:scale(2.5);
transform:scale(2.5)
}
}
.search{
display:-webkit-box;
display:flex;
line-height:24px;
width:24px
}
.search.focused,.search.focused .section{
width:100%
}
.search form{
z-index:101
}
.search h3{
display:none
}
.search form{
display:-webkit-box;
display:flex;
-webkit-box-flex:1;
flex:1 0 0;
border-bottom:1px solid transparent;
padding-bottom:8px
}
.search form>*{
display:none
}
.search.focused form>*{
display:block
}
.search .search-input label{
display:none
}
.collapsed-header .centered-top-container .search.focused form{
border-bottom-color:transparent
}
.search-expand{
-webkit-box-flex:0;
flex:0 0 auto
}
.search-expand-text{
display:none
}
.search-close{
display:inline;
vertical-align:middle
}
.search-input{
-webkit-box-flex:1;
flex:1 0 1px
}
.search-input input{
background:none;
border:0;
box-sizing:border-box;
color:#000000;
display:inline-block;
outline:none;
width:calc(100% - 48px)
}
.search-input input.no-cursor{
color:transparent;
text-shadow:0 0 0 #000000
}
.collapsed-header .centered-top-container .search-action,.collapsed-header .centered-top-container .search-input input{
color:#000000
}
.collapsed-header .centered-top-container .search-input input.no-cursor{
color:transparent;
text-shadow:0 0 0 #000000
}
.collapsed-header .centered-top-container .search-input input.no-cursor:focus,.search-input input.no-cursor:focus{
outline:none
}
.search-focused>*{
visibility:hidden
}
.search-focused .search,.search-focused .search-icon{
visibility:visible
}
.widget.Sharing .sharing-button{
display:none
}
.widget.Sharing .sharing-buttons li{
padding:0
}
.widget.Sharing .sharing-buttons li span{
display:none
}
.post-share-buttons{
position:relative
}
.sharing-open.touch-icon-button:active .touch-icon,.sharing-open.touch-icon-button:focus .touch-icon{
background-color:transparent
}
.share-buttons{
background-color:#ecdffa;
border-radius:2px;
box-shadow:0 2px 2px 0 rgba(0,0,0,.14),0 3px 1px -2px rgba(0,0,0,.2),0 1px 5px 0 rgba(0,0,0,.12);
color:#000000;
list-style:none;
margin:0;
padding:8px 0;
position:absolute;
top:-11px;
min-width:200px;
z-index:101
}
.share-buttons.hidden{
display:none
}
.sharing-button{
background:transparent;
border:0;
margin:0;
outline:none;
padding:0;
cursor:pointer
}
.share-buttons li{
margin:0;
height:48px
}
.share-buttons li:last-child{
margin-bottom:0
}
.share-buttons li .sharing-platform-button{
box-sizing:border-box;
cursor:pointer;
display:block;
height:100%;
margin-bottom:0;
padding:0 16px;
position:relative;
width:100%
}
.share-buttons li .sharing-platform-button:focus,.share-buttons li .sharing-platform-button:hover{
background-color:hsla(0,0%,50.2%,.1);
outline:none
}
.share-buttons li svg[class*=sharing-],.share-buttons li svg[class^=sharing-]{
position:absolute;
top:10px
}
.share-buttons li span.sharing-platform-button{
position:relative;
top:0
}
.share-buttons li .platform-sharing-text{
display:block;
font-size:16px;
line-height:48px;
white-space:nowrap;
margin-left:56px
}
.sidebar-container{
background-color:#ecdffa;
max-width:284px;
overflow-y:auto;
-webkit-transition-property:-webkit-transform;
transition-property:-webkit-transform;
transition-property:transform;
transition-property:transform,-webkit-transform;
-webkit-transition-duration:.3s;
transition-duration:.3s;
-webkit-transition-timing-function:cubic-bezier(0,0,.2,1);
transition-timing-function:cubic-bezier(0,0,.2,1);
width:284px;
z-index:101;
-webkit-overflow-scrolling:touch
}
.sidebar-container .navigation{
line-height:0;
padding:16px
}
.sidebar-container .sidebar-back{
cursor:pointer
}
.sidebar-container .widget{
background:none;
margin:0 16px;
padding:16px 0
}
.sidebar-container .widget .title{
color:#000000;
margin:0
}
.sidebar-container .widget ul{
list-style:none;
margin:0;
padding:0
}
.sidebar-container .widget ul ul{
margin-left:1em
}
.sidebar-container .widget li{
font-size:16px;
line-height:normal
}
.sidebar-container .widget+.widget{
border-top:1px dashed #000000
}
.BlogArchive li{
margin:16px 0
}
.BlogArchive li:last-child{
margin-bottom:0
}
.Label li a{
display:inline-block
}
.BlogArchive .post-count,.Label .label-count{
float:right;
margin-left:.25em
}
.BlogArchive .post-count:before,.Label .label-count:before{
content:"("
}
.BlogArchive .post-count:after,.Label .label-count:after{
content:")"
}
.widget.Translate .skiptranslate>div{
display:block!important
}
.widget.Profile .profile-link{
display:-webkit-box;
display:flex
}
.widget.Profile .team-member .default-avatar-wrapper,.widget.Profile .team-member .profile-img{
-webkit-box-flex:0;
flex:0 0 auto;
margin-right:1em
}
.widget.Profile .individual .profile-link{
-webkit-box-orient:vertical;
-webkit-box-direction:normal;
flex-direction:column
}
.widget.Profile .team .profile-link .profile-name{
align-self:center;
display:block;
-webkit-box-flex:1;
flex:1 1 auto
}
.dim-overlay{
background-color:rgba(0,0,0,.54);
z-index:100
}
body.sidebar-visible{
overflow-y:hidden
}
@media screen and (max-width:1439px){
.sidebar-container{
bottom:0;
position:fixed;
top:0;
left:0;
right:auto
}
.sidebar-container.sidebar-invisible{
-webkit-transition-timing-function:cubic-bezier(.4,0,.6,1);
transition-timing-function:cubic-bezier(.4,0,.6,1);
-webkit-transform:translateX(-284px);
transform:translateX(-284px)
}
}
@media screen and (min-width:1440px){
.sidebar-container{
position:absolute;
top:0;
left:0;
right:auto
}
.sidebar-container .navigation{
display:none
}
}
.dialog{
box-shadow:0 2px 2px 0 rgba(0,0,0,.14),0 3px 1px -2px rgba(0,0,0,.2),0 1px 5px 0 rgba(0,0,0,.12);
background:#ecdffa;
box-sizing:border-box;
color:#000000;
padding:30px;
position:fixed;
text-align:center;
width:calc(100% - 24px);
z-index:101
}
.dialog input[type=email],.dialog input[type=text]{
background-color:transparent;
border:0;
border-bottom:1px solid rgba(0,0,0,.12);
color:#000000;
display:block;
font-family:Roboto, sans-serif;
font-size:16px;
line-height:24px;
margin:auto;
padding-bottom:7px;
outline:none;
text-align:center;
width:100%
}
.dialog input[type=email]::-webkit-input-placeholder,.dialog input[type=text]::-webkit-input-placeholder{
color:#000000
}
.dialog input[type=email]::-moz-placeholder,.dialog input[type=text]::-moz-placeholder{
color:#000000
}
.dialog input[type=email]:-ms-input-placeholder,.dialog input[type=text]:-ms-input-placeholder{
color:#000000
}
.dialog input[type=email]::-ms-input-placeholder,.dialog input[type=text]::-ms-input-placeholder{
color:#000000
}
.dialog input[type=email]::placeholder,.dialog input[type=text]::placeholder{
color:#000000
}
.dialog input[type=email]:focus,.dialog input[type=text]:focus{
border-bottom:2px solid #7b1fa2;
padding-bottom:6px
}
.dialog input.no-cursor{
color:transparent;
text-shadow:0 0 0 #000000
}
.dialog input.no-cursor:focus{
outline:none
}
.dialog input[type=submit]{
font-family:Roboto, sans-serif
}
.dialog .goog-buttonset-default{
color:#7b1fa2
}
.subscribe-popup{
max-width:364px
}
.subscribe-popup h3{
color:#000000;
font-size:1.8em;
margin-top:0
}
.subscribe-popup .FollowByEmail h3{
display:none
}
.subscribe-popup .FollowByEmail .follow-by-email-submit{
color:#7b1fa2;
display:inline-block;
margin:24px auto 0;
width:auto;
white-space:normal
}
.subscribe-popup .FollowByEmail .follow-by-email-submit:disabled{
cursor:default;
opacity:.3
}
@media (max-width:800px){
.blog-name div.widget.Subscribe{
margin-bottom:16px
}
body.item-view .blog-name div.widget.Subscribe{
margin:8px auto 16px;
width:100%
}
}
.tabs{
list-style:none
}
.tabs li,.tabs li a{
display:inline-block
}
.tabs li a{
cursor:pointer;
font-weight:700;
text-transform:uppercase;
padding:12px 8px
}
.tabs .selected{
border-bottom:4px solid #000000
}
.tabs .selected a{
color:#000000
}
body#layout .bg-photo,body#layout .bg-photo-overlay{
display:none
}
body#layout .page_body{
padding:0;
position:relative;
top:0
}
body#layout .page{
display:inline-block;
left:inherit;
position:relative;
vertical-align:top;
width:540px
}
body#layout .centered{
max-width:954px
}
body#layout .navigation{
display:none
}
body#layout .sidebar-container{
display:inline-block;
width:40%
}
body#layout .hamburger-menu,body#layout .search{
display:none
}
.centered-top-container .svg-icon-24,body.collapsed-header .centered-top-placeholder .svg-icon-24{
fill:#000000
}
.sidebar-container .svg-icon-24{
fill:#414141
}
.centered-bottom .svg-icon-24,body.collapsed-header .centered-top-container .svg-icon-24{
fill:#414141
}
.centered-bottom .share-buttons .svg-icon-24,.share-buttons .svg-icon-24{
fill:#000000
}
body{
background-color:#b489e9;
color:#000000;
font:normal normal 14px Roboto, sans-serif;
margin:0;
min-height:100vh
}
img{
max-width:100%
}
h3{
color:#000000;
font-size:16px
}
a{
text-decoration:none;
color:#7b1fa2
}
a:visited{
color:#000000
}
a:hover{
color:#7B1FA2
}
blockquote{
color:#000000;
font:italic 300 15px Roboto, sans-serif;
font-size:x-large;
text-align:center
}
.pill-button{
font-size:12px
}
.bg-photo-container{
height:491px;
overflow:hidden;
position:absolute;
width:100%;
z-index:1
}
.bg-photo{
background:#b489e9 none repeat scroll top left;
background-attachment:scroll;
background-size:cover;
-webkit-filter:blur(26px);
filter:blur(26px);
height:calc(100% + 2 * 26px);
left:-26px;
position:absolute;
top:-26px;
width:calc(100% + 2 * 26px)
}
.bg-photo-overlay{
background:rgba(0,0,0,0);
background-size:cover;
height:491px;
position:absolute;
width:100%;
z-index:2
}
.hamburger-menu{
float:left;
margin-top:0
}
.sticky .hamburger-menu{
float:none;
position:absolute
}
.no-sidebar-widget .hamburger-menu{
display:none
}
.footer .widget .title{
margin:0;
line-height:24px
}
.search{
border-bottom:1px solid rgba(0, 0, 0, 0);
float:right;
position:relative;
-webkit-transition-property:width;
transition-property:width;
-webkit-transition-duration:.5s;
transition-duration:.5s;
-webkit-transition-timing-function:cubic-bezier(.4,0,.2,1);
transition-timing-function:cubic-bezier(.4,0,.2,1);
z-index:101
}
.search .dim-overlay{
background-color:transparent
}
.search form{
height:36px;
-webkit-transition:border-color .2s cubic-bezier(.4,0,.2,1) .5s;
transition:border-color .2s cubic-bezier(.4,0,.2,1) .5s
}
.search.focused{
width:calc(100% - 48px)
}
.search.focused form{
display:-webkit-box;
display:flex;
-webkit-box-flex:1;
flex:1 0 1px;
border-color:#000000;
margin-left:-24px;
padding-left:36px;
position:relative;
width:auto
}
.item-view .search,.sticky .search{
right:0;
float:none;
margin-left:0;
position:absolute
}
.item-view .search.focused,.sticky .search.focused{
width:calc(100% - 50px)
}
.item-view .search.focused form,.sticky .search.focused form{
border-bottom-color:#000000
}
.centered-top-placeholder.cloned .search form{
z-index:30
}
.search_button{
-webkit-box-flex:0;
flex:0 0 24px;
-webkit-box-orient:vertical;
-webkit-box-direction:normal;
flex-direction:column
}
.search_button svg{
margin-top:0
}
.search-input{
height:48px
}
.search-input input{
display:block;
color:#000000;
font:16px Roboto, sans-serif;
height:48px;
line-height:48px;
padding:0;
width:100%
}
.search-input input::-webkit-input-placeholder{
color:#000000;
opacity:.3
}
.search-input input::-moz-placeholder{
color:#000000;
opacity:.3
}
.search-input input:-ms-input-placeholder{
color:#000000;
opacity:.3
}
.search-input input::-ms-input-placeholder{
color:#000000;
opacity:.3
}
.search-input input::placeholder{
color:#000000;
opacity:.3
}
.search-action{
background:transparent;
border:0;
color:#000000;
cursor:pointer;
display:none;
height:48px;
margin-top:0
}
.sticky .search-action{
color:#000000
}
.search.focused .search-action{
display:block
}
.search.focused .search-action:disabled{
opacity:.3
}
.page_body{
position:relative;
z-index:20
}
.page_body .widget{
margin-bottom:16px
}
.page_body .centered{
box-sizing:border-box;
display:-webkit-box;
display:flex;
-webkit-box-orient:vertical;
-webkit-box-direction:normal;
flex-direction:column;
margin:0 auto;
max-width:922px;
min-height:100vh;
padding:24px 0
}
.page_body .centered>*{
-webkit-box-flex:0;
flex:0 0 auto
}
.page_body .centered>.footer{
margin-top:auto;
text-align:center
}
.blog-name{
margin:32px 0 16px
}
.item-view .blog-name,.sticky .blog-name{
box-sizing:border-box;
margin-left:36px;
min-height:48px;
opacity:1;
padding-top:12px
}
.blog-name .subscribe-section-container{
margin-bottom:32px;
text-align:center;
-webkit-transition-property:opacity;
transition-property:opacity;
-webkit-transition-duration:.5s;
transition-duration:.5s
}
.item-view .blog-name .subscribe-section-container,.sticky .blog-name .subscribe-section-container{
margin:0 0 8px
}
.blog-name .subscribe-empty-placeholder{
margin-bottom:48px
}
.blog-name .PageList{
margin-top:16px;
padding-top:8px;
text-align:center
}
.blog-name .PageList .overflowable-contents{
width:100%
}
.blog-name .PageList h3.title{
color:#000000;
margin:8px auto;
text-align:center;
width:100%
}
.centered-top-container .blog-name{
-webkit-transition-property:opacity;
transition-property:opacity;
-webkit-transition-duration:.5s;
transition-duration:.5s
}
.item-view .return_link{
margin-bottom:12px;
margin-top:12px;
position:absolute
}
.item-view .blog-name{
display:-webkit-box;
display:flex;
flex-wrap:wrap;
margin:0 48px 27px
}
.item-view .subscribe-section-container{
-webkit-box-flex:0;
flex:0 0 auto
}
.item-view #header,.item-view .Header{
margin-bottom:5px;
margin-right:15px
}
.item-view .sticky .Header{
margin-bottom:0
}
.item-view .Header p{
margin:10px 0 0;
text-align:left
}
.item-view .post-share-buttons-bottom{
margin-right:16px
}
.sticky{
background:#ecdffa;
box-shadow:0 0 20px 0 rgba(0,0,0,.7);
box-sizing:border-box;
margin-left:0
}
.sticky #header{
margin-bottom:8px;
margin-right:8px
}
.sticky .centered-top{
margin:4px auto;
max-width:890px;
min-height:48px
}
.sticky .blog-name{
display:-webkit-box;
display:flex;
margin:0 48px
}
.sticky .blog-name #header{
-webkit-box-flex:0;
flex:0 1 auto;
-webkit-box-ordinal-group:2;
order:1;
overflow:hidden
}
.sticky .blog-name .subscribe-section-container{
-webkit-box-flex:0;
flex:0 0 auto;
-webkit-box-ordinal-group:3;
order:2
}
.sticky .Header h1{
overflow:hidden;
text-overflow:ellipsis;
white-space:nowrap;
margin-right:-10px;
margin-bottom:-10px;
padding-right:10px;
padding-bottom:10px
}
.sticky .Header p,.sticky .PageList{
display:none
}
.search-focused .hamburger-menu,.search-focused>*{
visibility:visible
}
.item-view .search-focused .blog-name,.sticky .search-focused .blog-name{
opacity:0
}
.centered-bottom,.centered-top-container,.centered-top-placeholder{
padding:0 16px
}
.centered-top{
position:relative
}
.item-view .centered-top.search-focused .subscribe-section-container,.sticky .centered-top.search-focused .subscribe-section-container{
opacity:0
}
.page_body.has-vertical-ads .centered .centered-bottom{
display:inline-block;
width:calc(100% - 176px)
}
.Header h1{
font:normal bold 60px Roboto, sans-serif;
line-height:normal;
margin:0 0 13px;
text-align:center;
width:100%
}
.Header h1,.Header h1 a,.Header h1 a:hover,.Header h1 a:visited{
color:#000000
}
.item-view .Header h1,.sticky .Header h1{
font-size:24px;
line-height:24px;
margin:0;
text-align:left
}
.sticky .Header h1,.sticky .Header h1 a,.sticky .Header h1 a:hover,.sticky .Header h1 a:visited{
color:#000000
}
.Header p{
color:#000000;
margin:0 0 13px;
opacity:.8;
text-align:center
}
.widget .title{
line-height:28px
}
.BlogArchive li{
font-size:16px
}
.BlogArchive .post-count{
color:#000000
}
#page_body .FeaturedPost,.Blog .blog-posts .post-outer-container{
background:#ecdffa;
min-height:40px;
padding:30px 40px;
width:auto;
box-shadow:0 1px 4px 0 rgba(0,0,0,0.298)
}
.Blog .blog-posts .post-outer-container:last-child{
margin-bottom:0
}
.Blog .blog-posts .post-outer-container .post-outer{
border:0;
position:relative;
padding-bottom:.25em
}
.post-outer-container{
margin-bottom:16px
}
.post:first-child{
margin-top:0
}
.post .thumb{
float:left;
height:20%;
width:20%
}
.post-share-buttons-bottom,.post-share-buttons-top{
float:right
}
.post-share-buttons-bottom{
margin-right:24px
}
.post-footer,.post-header{
clear:left;
color:rgba(0,0,0,0.537);
margin:0;
width:inherit
}
.blog-pager{
text-align:center
}
.blog-pager a{
color:#7b1fa2
}
.blog-pager a:visited{
color:#000000
}
.blog-pager a:hover{
color:#7B1FA2
}
.post-title{
font:bold 22px Roboto, sans-serif;
float:left;
margin:0 0 8px;
max-width:calc(100% - 48px)
}
.post-title a{
font:bold 30px Roboto, sans-serif
}
.post-title,.post-title a,.post-title a:hover,.post-title a:visited{
color:#000000
}
.post-body{
color:#000000;
font:normal normal 14px Roboto, sans-serif;
line-height:1.6em;
margin:1.5em 0 2em;
display:block
}
.post-body img{
height:inherit
}
.post-body .snippet-thumbnail{
float:left;
margin:0;
margin-right:2em;
max-height:128px;
max-width:128px
}
.post-body .snippet-thumbnail img{
max-width:100%
}
.main .FeaturedPost .widget-content{
border:0;
position:relative;
padding-bottom:.25em
}
.FeaturedPost img{
margin-top:2em
}
.FeaturedPost .snippet-container{
margin:2em 0
}
.FeaturedPost .snippet-container p{
margin:0
}
.FeaturedPost .snippet-thumbnail{
float:none;
height:auto;
margin-bottom:2em;
margin-right:0;
overflow:hidden;
max-height:calc(600px + 2em);
max-width:100%;
text-align:center;
width:100%
}
.FeaturedPost .snippet-thumbnail img{
max-width:100%;
width:100%
}
.byline{
color:rgba(0,0,0,0.537);
display:inline-block;
line-height:24px;
margin-top:8px;
vertical-align:top
}
.byline.post-author:first-child{
margin-right:0
}
.byline.reactions .reactions-label{
line-height:22px;
vertical-align:top
}
.byline.post-share-buttons{
position:relative;
display:inline-block;
margin-top:0;
width:100%
}
.byline.post-share-buttons .sharing{
float:right
}
.flat-button.ripple:hover{
background-color:rgba(123,31,162,.12)
}
.flat-button.ripple .splash{
background-color:rgba(123,31,162,.4)
}
a.timestamp-link,a:active.timestamp-link,a:visited.timestamp-link{
color:inherit;
font:inherit;
text-decoration:inherit
}
.post-share-buttons{
margin-left:0
}
.post-share-buttons.invisible{
display:none
}
.clear-sharing{
min-height:24px
}
.comment-link{
color:#7b1fa2;
position:relative
}
.comment-link .num_comments{
margin-left:8px;
vertical-align:top
}
#comment-holder .continue{
display:none
}
#comment-editor{
margin-bottom:20px;
margin-top:20px
}
#comments .comment-form h4,#comments h3.title{
position:absolute;
clip:rect(1px,1px,1px,1px);
padding:0;
border:0;
height:1px;
width:1px;
overflow:hidden
}
.post-filter-message{
background-color:rgba(0,0,0,.7);
color:#fff;
display:table;
margin-bottom:16px;
width:100%
}
.post-filter-message div{
display:table-cell;
padding:15px 28px
}
.post-filter-message div:last-child{
padding-left:0;
text-align:right
}
.post-filter-message a{
white-space:nowrap
}
.post-filter-message .search-label,.post-filter-message .search-query{
font-weight:700;
color:#7b1fa2
}
#blog-pager{
margin:2em 0
}
#blog-pager a{
color:#7b1fa2;
font-size:14px
}
.subscribe-button{
border-color:#000000;
color:#000000
}
.sticky .subscribe-button{
border-color:#000000;
color:#000000
}
.tabs{
margin:0 auto;
padding:0
}
.tabs li{
margin:0 8px;
vertical-align:top
}
.tabs .overflow-button a,.tabs li a{
color:#4e4e4e;
font:700 normal 15px Roboto, sans-serif;
line-height:16.8px
}
.tabs .overflow-button a{
padding:12px 8px
}
.overflow-popup .tabs li{
text-align:left
}
.overflow-popup li a{
color:#000000;
display:block;
padding:8px 20px
}
.overflow-popup li.selected a{
color:#000000
}
.ReportAbuse.widget{
margin-bottom:0
}
.ReportAbuse a.report_abuse{
display:inline-block;
margin-bottom:8px;
font:normal normal 14px Roboto, sans-serif;
font-weight:400;
line-height:24px
}
.ReportAbuse a.report_abuse,.ReportAbuse a.report_abuse:hover{
color:#888
}
.byline.post-labels a,.Label li,.Label span.label-size{
background-color:#f1f1f1;
border:1px solid #f1f1f1;
border-radius:15px;
display:inline-block;
margin:4px 4px 4px 0;
padding:3px 8px
}
.byline.post-labels a,.Label a{
color:#000000
}
.Label ul{
list-style:none;
padding:0
}
.PopularPosts{
background-color:#b489e9;
padding:30px 40px
}
.PopularPosts .item-content{
color:#000000;
margin-top:24px
}
.PopularPosts a,.PopularPosts a:hover,.PopularPosts a:visited{
color:#7b1fa2
}
.PopularPosts .post-title,.PopularPosts .post-title a,.PopularPosts .post-title a:hover,.PopularPosts .post-title a:visited{
color:#000000;
font-size:18px;
font-weight:700;
line-height:24px
}
.PopularPosts,.PopularPosts h3.title a{
color:#000000;
font:normal normal 14px Roboto, sans-serif
}
.main .PopularPosts{
padding:16px 40px
}
.PopularPosts h3.title{
font-size:14px;
margin:0
}
.PopularPosts h3.post-title{
margin-bottom:0
}
.PopularPosts .byline{
color:rgba(0,0,0,0.537)
}
.PopularPosts .jump-link{
float:right;
margin-top:16px
}
.PopularPosts .post-header .byline{
font-size:.9em;
font-style:italic;
margin-top:6px
}
.PopularPosts ul{
list-style:none;
padding:0;
margin:0
}
.PopularPosts .post{
padding:20px 0
}
.PopularPosts .post+.post{
border-top:1px dashed #000000
}
.PopularPosts .item-thumbnail{
float:left;
margin-right:32px
}
.PopularPosts .item-thumbnail img{
height:88px;
padding:0;
width:88px
}
.inline-ad{
margin-bottom:16px
}
.desktop-ad .inline-ad{
display:block
}
.adsbygoogle{
overflow:hidden
}
.vertical-ad-container{
float:right;
margin-right:16px;
width:128px
}
.vertical-ad-container .AdSense+.AdSense{
margin-top:16px
}
.inline-ad-placeholder,.vertical-ad-placeholder{
background:#ecdffa;
border:1px solid #000;
opacity:.9;
vertical-align:middle;
text-align:center
}
.inline-ad-placeholder span,.vertical-ad-placeholder span{
margin-top:290px;
display:block;
text-transform:uppercase;
font-weight:700;
color:#000000
}
.vertical-ad-placeholder{
height:600px
}
.vertical-ad-placeholder span{
margin-top:290px;
padding:0 40px
}
.inline-ad-placeholder{
height:90px
}
.inline-ad-placeholder span{
margin-top:36px
}
.Attribution{
display:inline-block;
color:#000000
}
.Attribution a,.Attribution a:hover,.Attribution a:visited{
color:#7b1fa2
}
.Attribution svg{
display:none
}
.sidebar-container{
box-shadow:1px 1px 3px rgba(0,0,0,.1)
}
.sidebar-container,.sidebar-container .sidebar_bottom{
background-color:#ecdffa
}
.sidebar-container .navigation,.sidebar-container .sidebar_top_wrapper{
background-color:#ecdffa
}
.sidebar-container .sidebar_top{
overflow:auto
}
.sidebar-container .sidebar_bottom{
width:100%;
padding-top:16px
}
.sidebar-container .widget:first-child{
padding-top:0
}
.no-sidebar-widget .sidebar-container,.preview .sidebar-container{
display:none
}
.sidebar_top .widget.Profile{
padding-bottom:16px
}
.widget.Profile{
margin:0;
width:100%
}
.widget.Profile h2{
display:none
}
.widget.Profile h3.title{
color:rgba(0,0,0,0.518);
margin:16px 32px
}
.widget.Profile .individual{
text-align:center
}
.widget.Profile .individual .profile-link{
padding:1em
}
.widget.Profile .individual .default-avatar-wrapper .avatar-icon{
margin:auto
}
.widget.Profile .team{
margin-bottom:32px;
margin-left:32px;
margin-right:32px
}
.widget.Profile ul{
list-style:none;
padding:0
}
.widget.Profile li{
margin:10px 0
}
.widget.Profile .profile-img{
border-radius:50%;
float:none
}
.widget.Profile .profile-link{
color:#000000;
font-size:.9em;
margin-bottom:1em;
opacity:.87;
overflow:hidden
}
.widget.Profile .profile-link.visit-profile{
border-style:solid;
border-width:1px;
border-radius:12px;
cursor:pointer;
font-size:12px;
font-weight:400;
padding:5px 20px;
display:inline-block;
line-height:normal
}
.widget.Profile dd{
color:rgba(0,0,0,0.537);
margin:0 16px
}
.widget.Profile location{
margin-bottom:1em
}
.widget.Profile .profile-textblock{
font-size:14px;
line-height:24px;
position:relative
}
body.sidebar-visible .bg-photo-container,body.sidebar-visible .page_body{
overflow-y:scroll
}
@media screen and (min-width:1440px){
.sidebar-container{
min-height:100%;
overflow:visible;
z-index:32
}
.sidebar-container.show-sidebar-top{
margin-top:491px;
min-height:calc(100% - 491px)
}
.sidebar-container .sidebar_top_wrapper{
background-color:#ecdffa;
height:491px;
margin-top:-491px
}
.sidebar-container .sidebar_top{
height:491px;
max-height:491px
}
.sidebar-container .sidebar_bottom{
max-width:284px;
width:284px
}
body.collapsed-header .sidebar-container{
z-index:15
}
.sidebar-container .sidebar_top:empty{
display:none
}
.sidebar-container .sidebar_top>:only-child{
-webkit-box-flex:0;
flex:0 0 auto;
align-self:center;
width:100%
}
.sidebar_top_wrapper.no-items{
display:none
}
}
.post-snippet.snippet-container{
max-height:120px
}
.post-snippet .snippet-item{
line-height:24px
}
.post-snippet .snippet-fade{
background:-webkit-linear-gradient(left,#ecdffa 0,#ecdffa 20%,rgba(236, 223, 250, 0) 100%);
background:linear-gradient(to left,#ecdffa 0,#ecdffa 20%,rgba(236, 223, 250, 0) 100%);
color:#000000;
height:24px
}
.popular-posts-snippet.snippet-container{
max-height:72px
}
.popular-posts-snippet .snippet-item{
line-height:24px
}
.PopularPosts .popular-posts-snippet .snippet-fade{
color:#000000;
height:24px
}
.main .popular-posts-snippet .snippet-fade{
background:-webkit-linear-gradient(left,#b489e9 0,#b489e9 20%,rgba(180, 137, 233, 0) 100%);
background:linear-gradient(to left,#b489e9 0,#b489e9 20%,rgba(180, 137, 233, 0) 100%)
}
.sidebar_bottom .popular-posts-snippet .snippet-fade{
background:-webkit-linear-gradient(left,#ecdffa 0,#ecdffa 20%,rgba(236, 223, 250, 0) 100%);
background:linear-gradient(to left,#ecdffa 0,#ecdffa 20%,rgba(236, 223, 250, 0) 100%)
}
.profile-snippet.snippet-container{
max-height:192px
}
.has-location .profile-snippet.snippet-container{
max-height:144px
}
.profile-snippet .snippet-item{
line-height:24px
}
.profile-snippet .snippet-fade{
background:-webkit-linear-gradient(left,#ecdffa 0,#ecdffa 20%,rgba(236, 223, 250, 0) 100%);
background:linear-gradient(to left,#ecdffa 0,#ecdffa 20%,rgba(236, 223, 250, 0) 100%);
color:rgba(0,0,0,0.537);
height:24px
}
@media screen and (min-width:1440px){
.profile-snippet .snippet-fade{
background:-webkit-linear-gradient(left,#ecdffa 0,#ecdffa 20%,rgba(236, 223, 250, 0) 100%);
background:linear-gradient(to left,#ecdffa 0,#ecdffa 20%,rgba(236, 223, 250, 0) 100%)
}
}
@media screen and (max-width:800px){
.blog-name{
margin-top:0
}
body.item-view .blog-name{
margin:0 48px
}
.blog-name .subscribe-empty-placeholder{
margin-bottom:0
}
.centered-bottom{
padding:8px
}
body.item-view .centered-bottom{
padding:0
}
body.item-view #header,body.item-view .widget.Header{
margin-right:0
}
body.collapsed-header .centered-top-container .blog-name{
display:block
}
body.collapsed-header .centered-top-container .widget.Header h1{
text-align:center
}
.widget.Header header{
padding:0
}
.widget.Header h1{
font-size:$(blog.title.font.size * 24/45);
line-height:$(blog.title.font.size * 24/45);
margin-bottom:13px
}
body.item-view .widget.Header h1,body.item-view .widget.Header p{
text-align:center
}
.blog-name .widget.PageList{
padding:0
}
body.item-view .centered-top{
margin-bottom:5px
}
.search-action,.search-input{
margin-bottom:-8px
}
.search form{
margin-bottom:8px
}
body.item-view .subscribe-section-container{
margin:5px 0 0;
width:100%
}
#page_body.section div.widget.FeaturedPost,.widget.Blog .blog-posts .post-outer-container,.widget.PopularPosts{
padding:16px
}
.widget.Blog .blog-posts .post-outer-container .post-outer{
padding:0
}
.post:first-child{
margin:0
}
.post-body .snippet-thumbnail{
margin:0 3vw 3vw 0
}
.post-body .snippet-thumbnail img{
height:20vw;
width:20vw;
max-height:128px;
max-width:128px
}
.widget.PopularPosts div.item-thumbnail{
margin:0 3vw 3vw 0
}
.widget.PopularPosts div.item-thumbnail img{
height:20vw;
width:20vw;
max-height:88px;
max-width:88px
}
.post-title{
line-height:1
}
.post-title,.post-title a{
font-size:20px
}
#page_body.section div.widget.FeaturedPost h3 a{
font-size:22px
}
.mobile-ad .inline-ad{
display:block
}
.page_body.has-vertical-ads .vertical-ad-container,.page_body.has-vertical-ads .vertical-ad-container ins{
display:none
}
.page_body.has-vertical-ads .centered .centered-bottom,.page_body.has-vertical-ads .centered .centered-top{
display:block;
width:auto
}
.post-filter-message div{
padding:8px 16px
}
}
@media screen and (min-width:1440px){
body{
position:relative
}
body.item-view .blog-name{
margin-left:48px
}
.no-sidebar-widget .page_body,.preview .page_body{
margin-left:0
}
.page_body{
margin-left:284px
}
.search{
margin-left:0
}
.search.focused{
width:100%
}
.sticky{
padding-left:284px
}
.hamburger-menu{
display:none
}
body.collapsed-header .page_body .centered-top-container{
padding-left:284px;
padding-right:0;
width:100%
}
body.collapsed-header .centered-top-container .search.focused{
width:100%
}
body.collapsed-header .centered-top-container .blog-name{
margin-left:0
}
body.collapsed-header.item-view .centered-top-container .search.focused{
width:calc(100% - 50px)
}
body.collapsed-header.item-view .centered-top-container .blog-name{
margin-left:40px
}
}

--></style>
<style id='template-skin-1' type='text/css'><!--
body#layout .hidden,
body#layout .invisible {
display: inherit;
}
body#layout .navigation {
display: none;
}
body#layout .page,
body#layout .sidebar_top,
body#layout .sidebar_bottom {
display: inline-block;
left: inherit;
position: relative;
vertical-align: top;
}
body#layout .page {
float: right;
margin-left: 20px;
width: 55%;
}
body#layout .sidebar-container {
float: right;
width: 40%;
}
body#layout .hamburger-menu {
display: none;
}
--></style>
<script async='async' src='https://www.gstatic.com/external_hosted/clipboardjs/clipboard.min.js'></script>
<link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=4913778223018726354&amp;zx=194149dc-0535-40a3-8a28-55218fa72469' media='none' onload='if(media!=&#39;all&#39;)media=&#39;all&#39;' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=4913778223018726354&amp;zx=194149dc-0535-40a3-8a28-55218fa72469' rel='stylesheet'/></noscript>
<meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/>
<meta name='google-adsense-platform-domain' content='blogspot.com'/>

<script type="text/javascript" language="javascript">
  // Supply ads personalization default for EEA readers
  // See https://www.blogger.com/go/adspersonalization
  adsbygoogle = window.adsbygoogle || [];
  if (typeof adsbygoogle.requestNonPersonalizedAds === 'undefined') {
    adsbygoogle.requestNonPersonalizedAds = 1;
  }
</script>


</head>
<body class='item-view variant-strm_light'>
<a class='skip-navigation' href='#main' tabindex='0'>
Skip to main content
</a>
<div class='page'>
<div class='bg-photo-overlay'></div>
<div class='bg-photo-container'>
<div class='bg-photo'></div>
</div>
<div class='page_body'>
<div class='centered'>
<div class='centered-top-placeholder'></div>
<header class='centered-top-container' role='banner'>
<div class='centered-top'>
<a class='return_link' href='https://www.inversecos.com/'>
<button class='svg-icon-24-button back-button rtl-reversible-icon flat-icon-button ripple'>
<svg class='svg-icon-24'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_arrow_back_black_24dp' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
</button>
</a>
<div class='clearboth'></div>
<div class='blog-name container'>
<div class='container section' id='header' name='Header'><div class='widget Header' data-version='2' id='Header1'>
<div class='header-widget'>
<div>
<h1>
<a href='https://www.inversecos.com/'>
InverseCos
</a>
</h1>
</div>
<p>
</p>
</div>
</div></div>
<nav role='navigation'>
<div class='clearboth no-items section' id='page_list_top' name='Page list (top)'>
</div>
</nav>
</div>
</div>
</header>
<div>
<div class='vertical-ad-container no-items section' id='ads' name='Ads'>
</div>
<main class='centered-bottom' id='main' role='main' tabindex='-1'>
<div class='main section' id='page_body' name='Page body'>
<div class='widget Blog' data-version='2' id='Blog1'>
<div class='blog-posts hfeed container'>
<article class='post-outer-container'>
<div class='post-outer'>
<div class='post'>
<script type='application/ld+json'>{
  "@context": "http://schema.org",
  "@type": "BlogPosting",
  "mainEntityOfPage": {
    "@type": "WebPage",
    "@id": "https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html"
  },
  "headline": "Detecting Linux Anti-Forensics Log Tampering","description": "&#160; When forensically examining Linux systems for malicious intrusion, responders often rely on the following three artefacts to determine log...","datePublished": "2022-06-22T00:22:00-07:00",
  "dateModified": "2022-06-22T00:22:14-07:00","image": {
    "@type": "ImageObject","url": "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9_nLzfqraZb2qdaZP3pw9FnzRwStVKBX3FWoGqaCxtTzkzM_vXn2utPncfIyL7v38Pb39ggaycVs7h83LSuS0_4Otx2f0cPnnXw6RTyxSxSDbQwX0OQglt-4oush9XyknHY2A7xG3-BQAbOl80n0rcMTExHwdT3eH1nYX7D_vZcJW4iFAd1GUAgaKqw/w1200-h630-p-k-no-nu/4.png",
    "height": 630,
    "width": 1200},"publisher": {
    "@type": "Organization",
    "name": "Blogger",
    "logo": {
      "@type": "ImageObject",
      "url": "https://blogger.googleusercontent.com/img/b/U2hvZWJveA/AVvXsEgfMvYAhAbdHksiBA24JKmb2Tav6K0GviwztID3Cq4VpV96HaJfy0viIu8z1SSw_G9n5FQHZWSRao61M3e58ImahqBtr7LiOUS6m_w59IvDYwjmMcbq3fKW4JSbacqkbxTo8B90dWp0Cese92xfLMPe_tg11g/h60/",
      "width": 206,
      "height": 60
    }
  },"author": {
    "@type": "Person",
    "name": "inversecos"
  }
}</script>
<a name='8350766800150925637'></a>
<h3 class='post-title entry-title'>
Detecting Linux Anti-Forensics Log Tampering
</h3>
<div class='post-share-buttons post-share-buttons-top'>
<div class='byline post-share-buttons goog-inline-block'>
<div aria-owns='sharing-popup-Blog1-byline-8350766800150925637' class='sharing' data-title='Detecting Linux Anti-Forensics Log Tampering'>
<button aria-controls='sharing-popup-Blog1-byline-8350766800150925637' aria-label='Share' class='sharing-button touch-icon-button' id='sharing-button-Blog1-byline-8350766800150925637' role='button'>
<div class='flat-icon-button ripple'>
<svg class='svg-icon-24'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_share_black_24dp' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
</div>
</button>
<div class='share-buttons-container'>
<ul aria-hidden='true' aria-label='Share' class='share-buttons hidden' id='sharing-popup-Blog1-byline-8350766800150925637' role='menu'>
<li>
<span aria-label='Get link' class='sharing-platform-button sharing-element-link' data-href='https://www.blogger.com/share-post.g?blogID=4913778223018726354&postID=8350766800150925637&target=' data-url='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' role='menuitem' tabindex='-1' title='Get link'>
<svg class='svg-icon-24 touch-icon sharing-link'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_link_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
<span class='platform-sharing-text'>Get link</span>
</span>
</li>
<li>
<span aria-label='Share to Facebook' class='sharing-platform-button sharing-element-facebook' data-href='https://www.blogger.com/share-post.g?blogID=4913778223018726354&postID=8350766800150925637&target=facebook' data-url='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' role='menuitem' tabindex='-1' title='Share to Facebook'>
<svg class='svg-icon-24 touch-icon sharing-facebook'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_facebook_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
<span class='platform-sharing-text'>Facebook</span>
</span>
</li>
<li>
<span aria-label='Share to Twitter' class='sharing-platform-button sharing-element-twitter' data-href='https://www.blogger.com/share-post.g?blogID=4913778223018726354&postID=8350766800150925637&target=twitter' data-url='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' role='menuitem' tabindex='-1' title='Share to Twitter'>
<svg class='svg-icon-24 touch-icon sharing-twitter'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_twitter_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
<span class='platform-sharing-text'>Twitter</span>
</span>
</li>
<li>
<span aria-label='Share to Pinterest' class='sharing-platform-button sharing-element-pinterest' data-href='https://www.blogger.com/share-post.g?blogID=4913778223018726354&postID=8350766800150925637&target=pinterest' data-url='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' role='menuitem' tabindex='-1' title='Share to Pinterest'>
<svg class='svg-icon-24 touch-icon sharing-pinterest'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_pinterest_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
<span class='platform-sharing-text'>Pinterest</span>
</span>
</li>
<li>
<span aria-label='Email' class='sharing-platform-button sharing-element-email' data-href='https://www.blogger.com/share-post.g?blogID=4913778223018726354&postID=8350766800150925637&target=email' data-url='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' role='menuitem' tabindex='-1' title='Email'>
<svg class='svg-icon-24 touch-icon sharing-email'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_email_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
<span class='platform-sharing-text'>Email</span>
</span>
</li>
<li aria-hidden='true' class='hidden'>
<span aria-label='Share to other apps' class='sharing-platform-button sharing-element-other' data-url='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' role='menuitem' tabindex='-1' title='Share to other apps'>
<svg class='svg-icon-24 touch-icon sharing-sharingOther'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_more_horiz_black_24dp' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
<span class='platform-sharing-text'>Other Apps</span>
</span>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class='post-header'>
<div class='post-header-line-1'>
<span class='byline post-timestamp'>
<meta content='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html'/>
<a class='timestamp-link' href='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' rel='bookmark' title='permanent link'>
<time class='published' datetime='2022-06-22T00:22:00-07:00' title='2022-06-22T00:22:00-07:00'>
June 22, 2022
</time>
</a>
</span>
</div>
</div>
<div class='post-body entry-content float-container' id='post-body-8350766800150925637'>
<p></p><div style="text-align: left;"><span style="font-family: verdana;">&nbsp;</span></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9_nLzfqraZb2qdaZP3pw9FnzRwStVKBX3FWoGqaCxtTzkzM_vXn2utPncfIyL7v38Pb39ggaycVs7h83LSuS0_4Otx2f0cPnnXw6RTyxSxSDbQwX0OQglt-4oush9XyknHY2A7xG3-BQAbOl80n0rcMTExHwdT3eH1nYX7D_vZcJW4iFAd1GUAgaKqw/s1153/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: verdana;"><img border="0" data-original-height="330" data-original-width="1153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9_nLzfqraZb2qdaZP3pw9FnzRwStVKBX3FWoGqaCxtTzkzM_vXn2utPncfIyL7v38Pb39ggaycVs7h83LSuS0_4Otx2f0cPnnXw6RTyxSxSDbQwX0OQglt-4oush9XyknHY2A7xG3-BQAbOl80n0rcMTExHwdT3eH1nYX7D_vZcJW4iFAd1GUAgaKqw/s16000/4.png" /></span></a></div><div style="text-align: left;"><span style="font-family: verdana;"><br /></span></div><p></p><p style="text-align: left;"><span style="font-family: verdana;">When forensically examining Linux systems for malicious intrusion, responders often rely on the following three artefacts to determine logins and logouts:</span></p><p></p><ul style="text-align: left;"><li style="text-align: left;"><span style="font-family: verdana;">/var/run/utmp &#8211; currently logged in users</span></li><li style="text-align: left;"><span style="font-family: verdana;">/var/run/wtmp &#8211; current, past logins and system reboot&nbsp;</span></li><li style="text-align: left;"><span style="font-family: verdana;">/var/log/btmp &#8211; bad login attempts&nbsp;</span></li></ul><p></p><p style="text-align: left;"><span style="font-family: verdana;">Of course, these artefacts are not all you can forensically investigate for malicious access (there are other artefacts you can examine), however, these will be the focus of this anti-forensics blog post.&nbsp;</span></p><p></p><div style="text-align: left;"><span style="font-family: verdana;">In this post, I will walk through two methods of removing and tampering with these aretfacts to delete the malicious logins you want to hide. The first method removes the log line completely from the file through overwriting the binary file, the second method focuses on altering the hex of the file but is more obvious to detect. I will then walk through a simple way of detecting both methods based on timestamps that you can check. If timestamps are king &#8211; then I&#8217;ll be his queen!</span></div><div style="text-align: left;"><span style="font-family: verdana;"><br /></span></div><p></p><p style="text-align: left;"><b><span style="font-family: verdana; font-size: large;">Method 1 &#8211; Nulling the Entry&nbsp;</span></b></p><p style="text-align: left;"><span style="font-family: verdana;">This method is almost trivial to perform but leaves at least two methods of detection for a responder. The picture below shows the untampered output of the /var/log/wtmp binary. Please note that I will be using this file for the examples, but this technique can be used across all 3 artefacts.&nbsp;</span></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSZHw-HXgBoRSEH63batbMFgPfJ-O-0zuFDA9M1XqmGm6tSP1bPJYsm6GWYOONPUDiVSgLYySVeykQLE9aAtfLGdzPlij7yEmWNwKHvqGixkUg9QFdYwvgKaCHsGdyevO1vY2bY4-J9SlXrqZ5Yprxa9jTOl94LsIMCG3Zwc2mriJARWkUc8WHTrKzTw/s1153/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: verdana;"><img border="0" data-original-height="308" data-original-width="1153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSZHw-HXgBoRSEH63batbMFgPfJ-O-0zuFDA9M1XqmGm6tSP1bPJYsm6GWYOONPUDiVSgLYySVeykQLE9aAtfLGdzPlij7yEmWNwKHvqGixkUg9QFdYwvgKaCHsGdyevO1vY2bY4-J9SlXrqZ5Yprxa9jTOl94LsIMCG3Zwc2mriJARWkUc8WHTrKzTw/s16000/1.png" /></span></a></div><div style="text-align: left;"><span style="font-family: verdana;"><br /></span></div><div style="text-align: left;"><span style="font-family: verdana;">To kick this off, the attacker should ensure no bash history is being logged. You can do this through running the command below to set the HISTSIZE=0. This will prevent the shell commands from being logged when you&#8217;re on the system:&nbsp;</span></div><div style="text-align: left;"><span style="font-family: verdana;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioZcrmdGCtpepzcLj7wkSZPj76-xOl6e0_GqlzbgrlujFn6gLiST4KBKIquDolYDn3JP--ZE7mcUeug-c4dKG0ii0S6LZFGXJTWqG2J0vcZTwlp5i6GMPex1pTZSNbte4hnysV6MSKgtgNJh3zusIfVlslNp5BLu04_xG_RfkljObDMzWdY6TY_JXkfw/s1346/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: verdana;"><img border="0" data-original-height="43" data-original-width="1346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioZcrmdGCtpepzcLj7wkSZPj76-xOl6e0_GqlzbgrlujFn6gLiST4KBKIquDolYDn3JP--ZE7mcUeug-c4dKG0ii0S6LZFGXJTWqG2J0vcZTwlp5i6GMPex1pTZSNbte4hnysV6MSKgtgNJh3zusIfVlslNp5BLu04_xG_RfkljObDMzWdY6TY_JXkfw/s16000/2.png" /></span></a></div><div style="text-align: left;"><span style="font-family: verdana;"><br /></span></div><div><div style="text-align: left;"><span style="font-family: verdana;">There are attack tools you can use to do this &#8211; but why would you load unnecessary attack tools on the system when you can just LoL? Open up the hexeditor on /var/log/wtmp. I am using &#8220;hexedit&#8221;.&nbsp;</span></div><div style="text-align: left;"><span style="font-family: verdana;"><br /></span></div><div style="text-align: left;"><span style="font-family: verdana;">The account I want to remove from the log is &#8220;shutdown&#8221; (why? because I felt like it and there is no attacker on my sift workstation lol). The starting point to edit is where you note the first &#8220;~&#8221; in hex. I have highlighted the areas to edit in purple. Edit these so it is all &#8220;0&#8221; by nulling all the values out.&nbsp;</span></div><div style="text-align: left;"><span style="font-family: verdana;">If you mess this part up you will end up clearing the entire file xD.&nbsp;</span></div><div style="text-align: left;"><span style="font-family: verdana;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTecSope2PqaYUpZ2WXKAa1vVWwOfPp9v3lujR2l3aMApsIzSyjuCU-GId5gytHj6ZyKvN8F5jccRnoOYSXHNtPs2pP5NJy6n1Zw95vE3TuRNfwIcilX3Yxmcye0eqRsryWHd0ONpSomThOGd4IMm54qcR4aVcQGq5Kg1-koR4C62GSblKiSkbp2Iwuw/s1253/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: verdana;"><img border="0" data-original-height="179" data-original-width="1253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTecSope2PqaYUpZ2WXKAa1vVWwOfPp9v3lujR2l3aMApsIzSyjuCU-GId5gytHj6ZyKvN8F5jccRnoOYSXHNtPs2pP5NJy6n1Zw95vE3TuRNfwIcilX3Yxmcye0eqRsryWHd0ONpSomThOGd4IMm54qcR4aVcQGq5Kg1-koR4C62GSblKiSkbp2Iwuw/s16000/3.png" /></span></a></div><div style="text-align: left;"><span style="font-family: verdana;"><br /></span></div><div style="text-align: left;"><span style="font-family: verdana;">The screenshot below shows the output of /var/log/wtmp now. You can see this entry has been removed as it&#8217;s been nulled out. The date has also reverted to the default date.&nbsp;</span></div><div style="text-align: left;"><span style="font-family: verdana;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDMqadXchTO4AHbbnnDtIeuLe3ctBUTBFeeJEYMv3Ty4vpzKuBDa6MCAgAaqwuNUFLCjdEiwdPavJ4OfT988kTQr6A8l0mOeJtpfe_w8Jbo5phHQNA9fnovY1swF3J4xpqQri_kNj-4q0ipkVDoimDLdsBoQfe_QqxFXiQMXRxdnUqVkvKvsaKrAUeUA/s1153/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: verdana;"><img border="0" data-original-height="330" data-original-width="1153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDMqadXchTO4AHbbnnDtIeuLe3ctBUTBFeeJEYMv3Ty4vpzKuBDa6MCAgAaqwuNUFLCjdEiwdPavJ4OfT988kTQr6A8l0mOeJtpfe_w8Jbo5phHQNA9fnovY1swF3J4xpqQri_kNj-4q0ipkVDoimDLdsBoQfe_QqxFXiQMXRxdnUqVkvKvsaKrAUeUA/s16000/4.png" /></span></a></div><div style="text-align: left;"><span style="font-family: verdana;"><br /></span></div><div><div><div style="text-align: left;"><span style="font-weight: 700;"><span style="font-family: verdana;"><br /></span></span></div><div style="font-weight: bold; text-align: left;"><b><span style="font-family: verdana; font-size: large;">Method 2 &#8211; Overwriting the file</span></b></div><div style="text-align: left;"><span style="font-weight: 700;"><span style="font-family: verdana;"><br /></span></span></div></div><div style="text-align: left;"><span style="font-family: verdana;">If bash_history is turned off this is slightly harder to detect as this technique results in the entire lines being omitted from the log as we are complexly overwriting the /var/log/wtmp file. The detection of this can be done by looking at timestamps though! UwU</span></div><div style="text-align: left;"><span style="font-family: verdana;"><br /></span></div><div style="text-align: left;"><span style="font-family: verdana;">We can accomplish this in two steps. The first is to grep out the lines we want to remove into a &#8220;clean&#8221; file. In the screenshot below, you can see I got rid of the &#8220;sansforensics&#8221; login.</span></div></div><div style="text-align: left;"><span style="font-family: verdana;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj62EywQnneDNlLFXtsFsnEhggrOQTNXqrYDMQQ9ExXJ0svHTT7eq-qzu4Dja0BgG84UaomvtWIvw_9ryBHVzPrw3vtL46_VEe5nwzjjL4Jc5fW3A2oDbtQMK8iwtWDvWEUd8-HFWfHXHB2lR6iuipqXGk9Gm5uN9VUZx3FFsLx1soi-owqm0ISIKji1Q/s902/7.1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: verdana;"><img border="0" data-original-height="224" data-original-width="902" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj62EywQnneDNlLFXtsFsnEhggrOQTNXqrYDMQQ9ExXJ0svHTT7eq-qzu4Dja0BgG84UaomvtWIvw_9ryBHVzPrw3vtL46_VEe5nwzjjL4Jc5fW3A2oDbtQMK8iwtWDvWEUd8-HFWfHXHB2lR6iuipqXGk9Gm5uN9VUZx3FFsLx1soi-owqm0ISIKji1Q/s16000/7.1.png" /></span></a></div><div style="text-align: left;"><span style="font-family: verdana;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: verdana;">Then we want to replace the contents of /var/log/wtmp with the cleaned file:</span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: verdana;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlH_C4m3pYw2Dt6qw2Fn_JXqUxWCLWDp-ILE7iLtEmtWHGpDuRXns26u0XCijgIA2TipCePbVNVkpLFL-j5YBwfr7MAPmkfgV9QC8jElnRdvi9UXmyk-j55LlICfVbsVrWCo9J7ZnwqgJg7j_QOHtQT8JIoj5ApcuROpGC5aVk_WQ3LrPG33_VIbcPbg/s676/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: verdana;"><img border="0" data-original-height="39" data-original-width="676" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlH_C4m3pYw2Dt6qw2Fn_JXqUxWCLWDp-ILE7iLtEmtWHGpDuRXns26u0XCijgIA2TipCePbVNVkpLFL-j5YBwfr7MAPmkfgV9QC8jElnRdvi9UXmyk-j55LlICfVbsVrWCo9J7ZnwqgJg7j_QOHtQT8JIoj5ApcuROpGC5aVk_WQ3LrPG33_VIbcPbg/s16000/8.png" /></span></a></div><div><span style="font-family: verdana;"><br /></span></div><span style="font-family: verdana;">If you view the results, you can see the entries for &#8220;sansforensics&#8221; are completely gone:&nbsp;</span></div><div><span style="font-family: verdana;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3A03MC4PfV8tlYCqUV5F3i54K3ikNVluUmy105BrmbwC3ynxU3_rm15cx5KXeM1nQIpGpCRKo4VYq_hR2XFR6l2NmV-78I_DENyzIt67lqgzSbFhJP4h1-wV7aX-1RbaRjhcSXd3RwU2tqO1Ub3bIPfJ4rMW8t1vCBDA1YwArnBNuMem8lvD7rmC5KQ/s1222/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: verdana;"><img border="0" data-original-height="289" data-original-width="1222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3A03MC4PfV8tlYCqUV5F3i54K3ikNVluUmy105BrmbwC3ynxU3_rm15cx5KXeM1nQIpGpCRKo4VYq_hR2XFR6l2NmV-78I_DENyzIt67lqgzSbFhJP4h1-wV7aX-1RbaRjhcSXd3RwU2tqO1Ub3bIPfJ4rMW8t1vCBDA1YwArnBNuMem8lvD7rmC5KQ/s16000/9.png" /></span></a></div><span style="font-family: verdana;"><br /></span><div><div><b><span style="font-family: verdana;"><br /><span style="font-size: large;">DETECTION METHODOLOGY</span></span></b></div><div><span style="font-family: verdana;">This first method of anti-forensics / log evasion is trivial to detect and the detection is pretty high-fidelity. I would look for entries in wtmp, btmp and utmp where:</span></div><div><ul style="text-align: left;"><li><span style="font-family: verdana;">Values are zeroes (null) as this is not normal at all&nbsp;</span></li><li><span style="font-family: verdana;">Detect entries with the datetime stomped to &#8220;1970*&#8221;</span></li></ul></div><div><span style="font-family: verdana;">The next step is to review the timestamp of the actual /var/log/wtmp file. This file should always have the timestamp of the LAST entry that exists within the file. Please observe this following example of a non-tampered wtmp file:</span></div><div><span style="font-family: verdana;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC5MCLNr355ej2yt1EU9haZahOtNP1jvnKll3A7uBV8pOhpkuccQKgczPTmJtAiDK3l-gregw7J1JlXfwUL8ZypoToCtvRbR6aMMYXyeTsK2_QFd_MZC6_0q7nO1HewDlorLiqNF-TrslxwPo6P7TjZvtGc4nFsg_GbNw5PVk15Z7B-xXfZSwIlSSc5w/s1155/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: verdana;"><img border="0" data-original-height="304" data-original-width="1155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC5MCLNr355ej2yt1EU9haZahOtNP1jvnKll3A7uBV8pOhpkuccQKgczPTmJtAiDK3l-gregw7J1JlXfwUL8ZypoToCtvRbR6aMMYXyeTsK2_QFd_MZC6_0q7nO1HewDlorLiqNF-TrslxwPo6P7TjZvtGc4nFsg_GbNw5PVk15Z7B-xXfZSwIlSSc5w/s16000/10.png" /></span></a></div><span style="font-family: verdana;"><br /></span><div><span style="font-family: verdana;">And now compare it to the timestamps on the wtmp file. You will see they are always supposed to match:</span></div><div><span style="font-family: verdana;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLhtpw3FczHWK-jmQ4nQP2m-6ghgWlI1E4c3uzdtpYIc38Tb-vviKva85pIUzWigYgPNAqyt0IxmcSnNEOfzVneQzkHA92kOBwHn7htZybDUKFPaart0rkrGaXvnFK5xXj-qH2AZRfS5ieJM3bwiwHvIjkQFtYsIa59AZSrEsfU9F4RBZHAi30DZOzVw/s718/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: verdana;"><img border="0" data-original-height="163" data-original-width="718" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLhtpw3FczHWK-jmQ4nQP2m-6ghgWlI1E4c3uzdtpYIc38Tb-vviKva85pIUzWigYgPNAqyt0IxmcSnNEOfzVneQzkHA92kOBwHn7htZybDUKFPaart0rkrGaXvnFK5xXj-qH2AZRfS5ieJM3bwiwHvIjkQFtYsIa59AZSrEsfU9F4RBZHAi30DZOzVw/s16000/11.png" /></span></a></div><div><span style="font-family: verdana;"><br /></span></div><span style="font-family: verdana;">Following this logic, if you review the timestamps for wtmp post tampering &#8211; the timestamps now do not match up ;)</span></div><div><span style="font-family: verdana;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqkaTGarY85jGTsf1FHCUjG4b33h1Z6z5UXvJ9eQVCSh1MVULvx_GZ4vFLqWMAO3HxMET2xjRqU878Cxoz_P1Td-JV5blU9TYmI6cLPpxAIlmRNDi45B1GLnAvtIyTx6pt1SKKG3-kaJ4rvwuU1927RSpzi4vRSi7uXi_koZYv6L2oIoV9CEAPBc2CZQ/s973/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: verdana;"><img border="0" data-original-height="163" data-original-width="973" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqkaTGarY85jGTsf1FHCUjG4b33h1Z6z5UXvJ9eQVCSh1MVULvx_GZ4vFLqWMAO3HxMET2xjRqU878Cxoz_P1Td-JV5blU9TYmI6cLPpxAIlmRNDi45B1GLnAvtIyTx6pt1SKKG3-kaJ4rvwuU1927RSpzi4vRSi7uXi_koZYv6L2oIoV9CEAPBc2CZQ/s16000/12.png" /></span></a></div><span style="font-family: verdana;"><br /></span><div><span style="font-family: verdana;"><br /></span><div><div><span style="font-family: verdana;">Therefore, to summarise the key steps in detecting this:</span></div><div><ul style="text-align: left;"><li><span style="font-family: verdana;">Bash history (if HISTSIZE isn&#8217;t 0)</span></li><li><span style="font-family: verdana;">Values of zero (null) in wtmp, btmp, utmp</span></li><li><span style="font-family: verdana;">Entries with a timestamp containing the year 1970 (default time)</span></li><li><span style="font-family: verdana;">Timestamp mismatch between the last entry and the file timestamp of the file&nbsp;</span></li></ul></div><div><span style="font-family: verdana;">Happy hunting! X&nbsp;</span></div></div><div><span style="font-family: verdana;"><br /></span></div><div><span style="font-family: verdana;"><br /></span></div><div style="text-align: left;"><br /></div></div>
</div>
<div class='post-bottom'>
<div class='post-footer float-container'>
<div class='post-footer-line post-footer-line-1'>
</div>
<div class='post-footer-line post-footer-line-2'>
<span class='byline post-labels'>
<span class='byline-label'>
</span>
<a href='https://www.inversecos.com/search/label/detecting%20linux%20defence%20evasion' rel='tag'>detecting linux defence evasion</a>
<a href='https://www.inversecos.com/search/label/linux%20anti-forensics' rel='tag'>linux anti-forensics</a>
<a href='https://www.inversecos.com/search/label/linux%20defence%20evasion' rel='tag'>linux defence evasion</a>
<a href='https://www.inversecos.com/search/label/linux%20log%20tampering' rel='tag'>linux log tampering</a>
</span>
</div>
<div class='post-footer-line post-footer-line-3'>
</div>
</div>
<div class='post-share-buttons post-share-buttons-bottom invisible'>
<div class='byline post-share-buttons goog-inline-block'>
<div aria-owns='sharing-popup-Blog1-byline-8350766800150925637' class='sharing' data-title='Detecting Linux Anti-Forensics Log Tampering'>
<button aria-controls='sharing-popup-Blog1-byline-8350766800150925637' aria-label='Share' class='sharing-button touch-icon-button' id='sharing-button-Blog1-byline-8350766800150925637' role='button'>
<div class='flat-icon-button ripple'>
<svg class='svg-icon-24'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_share_black_24dp' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
</div>
</button>
<div class='share-buttons-container'>
<ul aria-hidden='true' aria-label='Share' class='share-buttons hidden' id='sharing-popup-Blog1-byline-8350766800150925637' role='menu'>
<li>
<span aria-label='Get link' class='sharing-platform-button sharing-element-link' data-href='https://www.blogger.com/share-post.g?blogID=4913778223018726354&postID=8350766800150925637&target=' data-url='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' role='menuitem' tabindex='-1' title='Get link'>
<svg class='svg-icon-24 touch-icon sharing-link'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_link_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
<span class='platform-sharing-text'>Get link</span>
</span>
</li>
<li>
<span aria-label='Share to Facebook' class='sharing-platform-button sharing-element-facebook' data-href='https://www.blogger.com/share-post.g?blogID=4913778223018726354&postID=8350766800150925637&target=facebook' data-url='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' role='menuitem' tabindex='-1' title='Share to Facebook'>
<svg class='svg-icon-24 touch-icon sharing-facebook'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_facebook_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
<span class='platform-sharing-text'>Facebook</span>
</span>
</li>
<li>
<span aria-label='Share to Twitter' class='sharing-platform-button sharing-element-twitter' data-href='https://www.blogger.com/share-post.g?blogID=4913778223018726354&postID=8350766800150925637&target=twitter' data-url='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' role='menuitem' tabindex='-1' title='Share to Twitter'>
<svg class='svg-icon-24 touch-icon sharing-twitter'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_twitter_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
<span class='platform-sharing-text'>Twitter</span>
</span>
</li>
<li>
<span aria-label='Share to Pinterest' class='sharing-platform-button sharing-element-pinterest' data-href='https://www.blogger.com/share-post.g?blogID=4913778223018726354&postID=8350766800150925637&target=pinterest' data-url='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' role='menuitem' tabindex='-1' title='Share to Pinterest'>
<svg class='svg-icon-24 touch-icon sharing-pinterest'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_pinterest_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
<span class='platform-sharing-text'>Pinterest</span>
</span>
</li>
<li>
<span aria-label='Email' class='sharing-platform-button sharing-element-email' data-href='https://www.blogger.com/share-post.g?blogID=4913778223018726354&postID=8350766800150925637&target=email' data-url='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' role='menuitem' tabindex='-1' title='Email'>
<svg class='svg-icon-24 touch-icon sharing-email'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_email_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
<span class='platform-sharing-text'>Email</span>
</span>
</li>
<li aria-hidden='true' class='hidden'>
<span aria-label='Share to other apps' class='sharing-platform-button sharing-element-other' data-url='https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html' role='menuitem' tabindex='-1' title='Share to other apps'>
<svg class='svg-icon-24 touch-icon sharing-sharingOther'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_more_horiz_black_24dp' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
<span class='platform-sharing-text'>Other Apps</span>
</span>
</li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<section class='comments embed' data-num-comments='0' id='comments'>
<a name='comments'></a>
<h3 class='title'>Comments</h3>
<div id='Blog1_comments-block-wrapper'>
</div>
<div class='footer'>
<div class='comment-form'>
<a name='comment-form'></a>
<h4 id='comment-post-message'>Post a Comment</h4>
<a href='https://www.blogger.com/comment/frame/4913778223018726354?po=8350766800150925637&hl=en-GB&skin=essential' id='comment-editor-src'></a>
<iframe allowtransparency='allowtransparency' class='blogger-iframe-colorize blogger-comment-from-post' frameborder='0' height='410px' id='comment-editor' name='comment-editor' src='' width='100%'></iframe>
<script src='https://www.blogger.com/static/v1/jsbin/3469866930-comment_from_post_iframe.js' type='text/javascript'></script>
<script type='text/javascript'>
      BLOG_CMT_createIframe('https://www.blogger.com/rpc_relay.html');
    </script>
</div>
</div>
</section>
<div class='desktop-ad mobile-ad'>
</div>
</article>
</div>
</div><div class='widget PopularPosts' data-version='2' id='PopularPosts1'>
<h3 class='title'>
Popular posts from this blog
</h3>
<div class='widget-content'>
<div role='feed'>
<article class='post' role='article'>
<h3 class='post-title'><a href='https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html'>Forensic Analysis of AnyDesk Logs</a></h3>
<div class='post-header'>
<div class='post-header-line-1'>
<span class='byline post-timestamp'>
<meta content='https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html'/>
<a class='timestamp-link' href='https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html' rel='bookmark' title='permanent link'>
<time class='published' datetime='2021-02-10T17:05:00-08:00' title='2021-02-10T17:05:00-08:00'>
February 10, 2021
</time>
</a>
</span>
</div>
</div>
<div class='item-content float-container'>
<div class='item-thumbnail'>
<a href='https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html'>
<img alt='Image' sizes='72px' src='https://lh3.googleusercontent.com/-0d69NkZ3LH8/YCSCZbXqnbI/AAAAAAAAB7Y/TiELQO71_R8N0oDPg4m7w2_DcZpK_1dOACLcBGAsYHQ/s16000/Screen%2BShot%2B2021-02-11%2Bat%2B11.53.45%2Bam.png' srcset='https://lh3.googleusercontent.com/-0d69NkZ3LH8/YCSCZbXqnbI/AAAAAAAAB7Y/TiELQO71_R8N0oDPg4m7w2_DcZpK_1dOACLcBGAsYHQ/w72-h72-p-k-no-nu/Screen%2BShot%2B2021-02-11%2Bat%2B11.53.45%2Bam.png 72w, https://lh3.googleusercontent.com/-0d69NkZ3LH8/YCSCZbXqnbI/AAAAAAAAB7Y/TiELQO71_R8N0oDPg4m7w2_DcZpK_1dOACLcBGAsYHQ/w144-h144-p-k-no-nu/Screen%2BShot%2B2021-02-11%2Bat%2B11.53.45%2Bam.png 144w'/>
</a>
</div>
<div class='popular-posts-snippet snippet-container r-snippet-container'>
<div class='snippet-item r-snippetized'>
Most threat actors during ransomware incidents utilise some type of remote access tools - one of them being AnyDesk. This is a free remote access tool that threat actors download onto hosts to access them easily and also for bidirectional file transfer.&#160; There are two locations for where AnyDesk logs are stored on the Windows file system: %programdata%\AnyDesk\ad_svc.trace %appdata%\Anydesk\ad.trace The AnyDesk logs can be found under the appdata located within each users&#39; directory where the tool has been installed. Forensic analysis of these logs reveal interesting pieces of information inside the &quot;ad.trace&quot; log: Remote IP where the actor connected from File transfer activity Locating the Remote IP Connecting to AnyDesk Inside the &quot;ad.trace&quot; log you can grep for the following term &quot;External address&quot; and this should reveal the following line pasted below. I have redacted the IP for privacy&#39;s sake:   info 2021-02-04 23:25:10.500 &#160;&#160;&#160;&#160;&#160; lsvc &#160; 9988 &#160;
</div>
<a class='snippet-fade r-snippet-fade hidden' href='https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html'></a>
</div>
<div class='jump-link flat-button ripple'>
<a href='https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html' title='Forensic Analysis of AnyDesk Logs'>
Read more
</a>
</div>
</div>
</article>
<article class='post' role='article'>
<h3 class='post-title'><a href='https://www.inversecos.com/2022/06/how-to-reverse-engineer-and-patch-ios.html'>How to Reverse Engineer and Patch an iOS Application for Beginners: Part I</a></h3>
<div class='post-header'>
<div class='post-header-line-1'>
<span class='byline post-timestamp'>
<meta content='https://www.inversecos.com/2022/06/how-to-reverse-engineer-and-patch-ios.html'/>
<a class='timestamp-link' href='https://www.inversecos.com/2022/06/how-to-reverse-engineer-and-patch-ios.html' rel='bookmark' title='permanent link'>
<time class='published' datetime='2022-06-06T23:19:00-07:00' title='2022-06-06T23:19:00-07:00'>
June 06, 2022
</time>
</a>
</span>
</div>
</div>
<div class='item-content float-container'>
<div class='item-thumbnail'>
<a href='https://www.inversecos.com/2022/06/how-to-reverse-engineer-and-patch-ios.html'>
<img alt='Image' sizes='72px' src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCvd7hlTQEINMUYmwIe3wPXmZOjZpRHApA7A7bTzuFnUtfWkVr8rwF7Wm34KfcwShmDNILjbq4Qx27YsFB39wbP9Vx5Cl2ffVs2dnYRxmsH2MK7SQ_77FjJ2rnDl97geikVxKWeDqwfYdN4X0TKYRcBmVITVVBzk0OJIpHefOI0vcnTQMmw5kmI_dfow/s16000/mac12.png' srcset='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCvd7hlTQEINMUYmwIe3wPXmZOjZpRHApA7A7bTzuFnUtfWkVr8rwF7Wm34KfcwShmDNILjbq4Qx27YsFB39wbP9Vx5Cl2ffVs2dnYRxmsH2MK7SQ_77FjJ2rnDl97geikVxKWeDqwfYdN4X0TKYRcBmVITVVBzk0OJIpHefOI0vcnTQMmw5kmI_dfow/w72-h72-p-k-no-nu/mac12.png 72w, https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCvd7hlTQEINMUYmwIe3wPXmZOjZpRHApA7A7bTzuFnUtfWkVr8rwF7Wm34KfcwShmDNILjbq4Qx27YsFB39wbP9Vx5Cl2ffVs2dnYRxmsH2MK7SQ_77FjJ2rnDl97geikVxKWeDqwfYdN4X0TKYRcBmVITVVBzk0OJIpHefOI0vcnTQMmw5kmI_dfow/w144-h144-p-k-no-nu/mac12.png 144w'/>
</a>
</div>
<div class='popular-posts-snippet snippet-container r-snippet-container'>
<div class='snippet-item r-snippetized'>
So you want to reverse and patch an iOS application? I got you &gt;_&lt; This blog is focused on reversing an iOS application I built for the purpose of showing beginners how to reverse and patch an iOS app. No fancy tools are required (IDA O.o), it&#39;s just you, me &amp; a debugger &lt;3 The app is a simple, unencrypted Objective-C application that just takes in a password and the goal of this is to bypass the password mechanism and get the success code. This blog post will focus on reversing/debugging the application and will not cover aspects of static analysis. The reason I wanted to write this is because I realised this topic is confusing for a lot of people and I wanted to try and write a blog that attempts to explain it in a more beginner-friendly way.&#160; Originally, I planned this content to be a TikTok video, but I am sick of TikTok&#8217;s community guidelines and rules against any &#8220;offensive&#8221; security content. So&#8230; as a result, I&#8217;m probably going to be writing more blogs now.&#160; The 
</div>
<a class='snippet-fade r-snippet-fade hidden' href='https://www.inversecos.com/2022/06/how-to-reverse-engineer-and-patch-ios.html'></a>
</div>
<div class='jump-link flat-button ripple'>
<a href='https://www.inversecos.com/2022/06/how-to-reverse-engineer-and-patch-ios.html' title='How to Reverse Engineer and Patch an iOS Application for Beginners: Part I'>
Read more
</a>
</div>
</div>
</article>
<article class='post' role='article'>
<h3 class='post-title'><a href='https://www.inversecos.com/2022/10/how-to-investigate-insider-threats.html'>How to Investigate Insider Threats (Forensic Methodology)</a></h3>
<div class='post-header'>
<div class='post-header-line-1'>
<span class='byline post-timestamp'>
<meta content='https://www.inversecos.com/2022/10/how-to-investigate-insider-threats.html'/>
<a class='timestamp-link' href='https://www.inversecos.com/2022/10/how-to-investigate-insider-threats.html' rel='bookmark' title='permanent link'>
<time class='published' datetime='2022-10-12T23:08:00-07:00' title='2022-10-12T23:08:00-07:00'>
October 12, 2022
</time>
</a>
</span>
</div>
</div>
<div class='item-content float-container'>
<div class='item-thumbnail'>
<a href='https://www.inversecos.com/2022/10/how-to-investigate-insider-threats.html'>
<img alt='Image' sizes='72px' src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFK8u2rp5ITC0WRKPlPvf_sXGKQuwTJ5dSrkbi4Blry0dTxyeM9_Lq1AJZVr3GzOLl7U800hO2ZVWx16UN7Vx4DSMEyMRIMIRGu0rNZr-mGgmWtqOvI1lAqvRkNVtUszCPSkkZzbNam0G6eXOiPE8cI5bJ0TbKgKocQA47rklmPJJtRz5mC-dJKSd4JA/s16000/cover.png' srcset='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFK8u2rp5ITC0WRKPlPvf_sXGKQuwTJ5dSrkbi4Blry0dTxyeM9_Lq1AJZVr3GzOLl7U800hO2ZVWx16UN7Vx4DSMEyMRIMIRGu0rNZr-mGgmWtqOvI1lAqvRkNVtUszCPSkkZzbNam0G6eXOiPE8cI5bJ0TbKgKocQA47rklmPJJtRz5mC-dJKSd4JA/w72-h72-p-k-no-nu/cover.png 72w, https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFK8u2rp5ITC0WRKPlPvf_sXGKQuwTJ5dSrkbi4Blry0dTxyeM9_Lq1AJZVr3GzOLl7U800hO2ZVWx16UN7Vx4DSMEyMRIMIRGu0rNZr-mGgmWtqOvI1lAqvRkNVtUszCPSkkZzbNam0G6eXOiPE8cI5bJ0TbKgKocQA47rklmPJJtRz5mC-dJKSd4JA/w144-h144-p-k-no-nu/cover.png 144w'/>
</a>
</div>
<div class='popular-posts-snippet snippet-container r-snippet-container'>
<div class='snippet-item r-snippetized'>
Insider threats are unfortunately a real and active threat. The forensic investigation of a suspected insider follows a different approach in methodology than the classic methodology for investigating threat actors. The main difference between insider jobs and other jobs is the fact that clients usually want a timeline of both activity around the &#8220;malicious action&#8221; and also a timeline of &#8220;legitimate&#8221; activity leading up to, during and post the malicious actions to remove reasonable doubt that it was somebody else. During an insider job, artefacts that show system wake/hibernation, or artefacts proving a user opened something on their taskbar are just as important as the malicious activity itself depending on the client needs. For these cases, analysts should *consider*&#160;create TWO timelines depending on the client needs and the nature of the incident: One timeline for malicious activity One timeline capturing ALL relevant activity showing what the user was actively doing since being ide
</div>
<a class='snippet-fade r-snippet-fade hidden' href='https://www.inversecos.com/2022/10/how-to-investigate-insider-threats.html'></a>
</div>
<div class='jump-link flat-button ripple'>
<a href='https://www.inversecos.com/2022/10/how-to-investigate-insider-threats.html#more' title='How to Investigate Insider Threats (Forensic Methodology)'>
Read more
</a>
</div>
</div>
</article>
</div>
</div>
</div></div>
</main>
</div>
<footer class='footer section' id='footer' name='Footer'><div class='widget Attribution' data-version='2' id='Attribution1'>
<div class='widget-content'>
<div class='blogger'>
<a href='https://www.blogger.com' rel='nofollow'>
<svg class='svg-icon-24'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_post_blogger_black_24dp' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
Powered by Blogger
</a>
</div>
</div>
</div><div class='widget ReportAbuse' data-version='2' id='ReportAbuse1'>
<h3 class='title'>
<a class='report_abuse' href='https://www.blogger.com/go/report-abuse' rel='noopener nofollow' target='_blank'>
Report Abuse
</a>
</h3>
</div></footer>
</div>
</div>
</div>
<aside class='sidebar-container container sidebar-invisible' role='complementary'>
<div class='navigation'>
<button class='svg-icon-24-button flat-icon-button ripple sidebar-back'>
<svg class='svg-icon-24'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_arrow_back_black_24dp' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
</button>
</div>
<div class='sidebar_top_wrapper no-items'>
<div class='sidebar_top no-items section' id='sidebar_top' name='Sidebar (top)'>
</div>
</div>
<div class='sidebar_bottom section' id='sidebar_bottom' name='Sidebar (bottom)'><div class='widget Profile' data-version='2' id='Profile2'>
<div class='wrapper solo'>
<div class='widget-content individual'>
<a href='https://www.blogger.com/profile/15449929716665512090' rel='nofollow'>
<img alt='My photo' class='profile-img' height='120' src='//4.bp.blogspot.com/-wiqR0jM4Ezc/YVQKZBFBRTI/AAAAAAAACI8/Sz1oiWIijFYpOF8aqnXVAqCOy4LsJ4s7QCK4BGAYYCw/s120-pf/Screen%2BShot%2B2021-09-29%2Bat%2B4.40.15%2Bpm.png' width='120'/>
</a>
<div class='profile-info'>
<dl class='profile-datablock'>
<dt class='profile-data'>
<a class='profile-link g-profile' href='https://www.blogger.com/profile/15449929716665512090' rel='author nofollow'>
inversecos
</a>
</dt>
</dl>
<a class='profile-link visit-profile pill-button' href='https://www.blogger.com/profile/15449929716665512090' rel='author'>
Visit profile
</a>
</div>
</div>
</div>
</div><div class='widget Text' data-version='2' id='Text1'>
<h3 class='title'>
Lina Lau
</h3>
<div class='widget-content'>
inversecos@protonmail.com
</div>
</div><div class='widget LinkList' data-version='2' id='LinkList2'>
<h3 class='title'>
MY BOOK
</h3>
<div class='widget-content'>
<ul>
<li><a href='https://www.amazon.com/How-cybersecurity-earning-over-figures-ebook/dp/B09DKCB468/ref=sr_1_3?dchild=1&keywords=cybersecurity+job&qid=1631601949&sr=8-3'>How to get a job in cybersecurity earning over six figures : Zero to Cyber Hero</a></li>
</ul>
</div>
</div>
<div class='widget LinkList' data-version='2' id='LinkList1'>
<h3 class='title'>
SOCIAL
</h3>
<div class='widget-content'>
<ul>
<li><a href='https://twitter.com/inversecos'>Twitter</a></li>
<li><a href='https://www.youtube.com/channel/UCtktQHjrfMCzvOECa8GZY7w'>YouTube</a></li>
<li><a href='https://www.linkedin.com/in/lina-l-16349697/'>LinkedIn</a></li>
<li><a href='https://www.tiktok.com/@inversecos?'>Tiktok</a></li>
</ul>
</div>
</div><div class='widget BlogSearch' data-version='2' id='BlogSearch2'>
<h3 class='title'>
Search
</h3>
<div class='widget-content' role='search'>
<form action='https://www.inversecos.com/search' target='_top'>
<div class='search-input'>
<input aria-label='Search this blog' autocomplete='off' name='q' placeholder='Search this blog' value=''/>
</div>
<input class='search-action flat-button' type='submit' value='Search'/>
</form>
</div>
</div><div class='widget BlogArchive' data-version='2' id='BlogArchive1'>
<details class='collapsible extendable'>
<summary>
<div class='collapsible-title'>
<h3 class='title'>
Blog Archive
</h3>
<svg class='svg-icon-24 chevron-down'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_expand_more_black_24dp' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
<svg class='svg-icon-24 chevron-up'>
<use xlink:href='/responsive/sprite_v1_6.css.svg#ic_expand_less_black_24dp' xmlns:xlink='http://www.w3.org/1999/xlink'></use>
</svg>
</div>
</summary>
<div class='widget-content'>
<div id='ArchiveList'>
<div id='BlogArchive1_ArchiveList'>
<div class='first-items'>
<ul class='flat'>
<li class='archivedate'>
<a href='https://www.inversecos.com/2022/10/'>October 2022<span class='post-count'>2</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2022/09/'>September 2022<span class='post-count'>1</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2022/08/'>August 2022<span class='post-count'>2</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2022/07/'>July 2022<span class='post-count'>2</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2022/06/'>June 2022<span class='post-count'>3</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2022/05/'>May 2022<span class='post-count'>2</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2022/04/'>April 2022<span class='post-count'>2</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2022/03/'>March 2022<span class='post-count'>1</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2022/01/'>January 2022<span class='post-count'>1</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2021/12/'>December 2021<span class='post-count'>1</span></a>
</li>
</ul>
</div>
<div class='remaining-items'>
<ul class='flat'>
<li class='archivedate'>
<a href='https://www.inversecos.com/2021/11/'>November 2021<span class='post-count'>1</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2021/10/'>October 2021<span class='post-count'>3</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2021/09/'>September 2021<span class='post-count'>2</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2021/05/'>May 2021<span class='post-count'>1</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2021/02/'>February 2021<span class='post-count'>1</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2020/04/'>April 2020<span class='post-count'>1</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2019/11/'>November 2019<span class='post-count'>1</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2018/03/'>March 2018<span class='post-count'>1</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2017/10/'>October 2017<span class='post-count'>2</span></a>
</li>
<li class='archivedate'>
<a href='https://www.inversecos.com/2017/06/'>June 2017<span class='post-count'>2</span></a>
</li>
</ul>
</div>
<span class='show-more pill-button'>Show more</span>
<span class='show-less hidden pill-button'>Show less</span>
</div>
</div>
</div>
</details>
</div>
</div>
</aside>
<script type="text/javascript" src="https://resources.blogblog.com/blogblog/data/res/3026064950-strm_compiled.js" async="true"></script>
<!--It is your responsibility to notify your visitors about cookies used and data collected on your blog. Blogger makes a standard notification available for you to use on your blog, and you can customise it or replace it with your own notice. See http://www.blogger.com/go/cookiechoices for more details.-->
<script defer='' src='/js/cookienotice.js'></script>
<script>
    document.addEventListener('DOMContentLoaded', function(event) {
      window.cookieChoices && cookieChoices.showCookieConsentBar && cookieChoices.showCookieConsentBar(
          (window.cookieOptions && cookieOptions.msg) || 'This site uses cookies from Google to deliver its services and to analyse traffic. Your IP address and user agent are shared with Google, together with performance and security metrics, to ensure quality of service, generate usage statistics and to detect and address abuse.',
          (window.cookieOptions && cookieOptions.close) || 'Ok',
          (window.cookieOptions && cookieOptions.learn) || 'Learn more',
          (window.cookieOptions && cookieOptions.link) || 'https://www.blogger.com/go/blogspot-cookies');
    });
  </script>

<script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/2342155703-widgets.js"></script>
<script type='text/javascript'>
window['__wavt'] = 'AOuZoY6V_FkMHM4zTZ-f-qxswxG5hvBxtw:1668947861898';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d4913778223018726354','//www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html','4913778223018726354');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '4913778223018726354', 'title': 'InverseCos', 'url': 'https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html', 'canonicalUrl': 'https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html', 'homepageUrl': 'https://www.inversecos.com/', 'searchUrl': 'https://www.inversecos.com/search', 'canonicalHomepageUrl': 'https://www.inversecos.com/', 'blogspotFaviconUrl': 'https://www.inversecos.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': true, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': '', 'encoding': 'UTF-8', 'locale': 'en-GB', 'localeUnderscoreDelimited': 'en_gb', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22InverseCos - Atom\x22 href\x3d\x22https://www.inversecos.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22InverseCos - RSS\x22 href\x3d\x22https://www.inversecos.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22InverseCos - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/4913778223018726354/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22InverseCos - Atom\x22 href\x3d\x22https://www.inversecos.com/feeds/8350766800150925637/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/9db85cedc764587f', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'Twitter', 'key': 'twitter', 'shareMessage': 'Share to Twitter', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en_GB\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'item', 'postId': '8350766800150925637', 'postImageThumbnailUrl': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9_nLzfqraZb2qdaZP3pw9FnzRwStVKBX3FWoGqaCxtTzkzM_vXn2utPncfIyL7v38Pb39ggaycVs7h83LSuS0_4Otx2f0cPnnXw6RTyxSxSDbQwX0OQglt-4oush9XyknHY2A7xG3-BQAbOl80n0rcMTExHwdT3eH1nYX7D_vZcJW4iFAd1GUAgaKqw/s72-c/4.png', 'postImageUrl': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9_nLzfqraZb2qdaZP3pw9FnzRwStVKBX3FWoGqaCxtTzkzM_vXn2utPncfIyL7v38Pb39ggaycVs7h83LSuS0_4Otx2f0cPnnXw6RTyxSxSDbQwX0OQglt-4oush9XyknHY2A7xG3-BQAbOl80n0rcMTExHwdT3eH1nYX7D_vZcJW4iFAd1GUAgaKqw/s16000/4.png', 'pageName': 'Detecting Linux Anti-Forensics Log Tampering', 'pageTitle': 'InverseCos: Detecting Linux Anti-Forensics Log Tampering', 'metaDescription': ''}}, {'name': 'features', 'data': {'sharing_get_link_dialog': 'true', 'sharing_native': 'false'}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard', 'ok': 'Ok', 'postLink': 'Post link'}}, {'name': 'template', 'data': {'name': 'Essential', 'localizedName': 'Essential', 'isResponsive': true, 'isAlternateRendering': false, 'isCustom': false, 'variant': 'strm_light', 'variantId': 'strm_light'}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Detecting Linux Anti-Forensics Log Tampering', 'description': '', 'featuredImage': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9_nLzfqraZb2qdaZP3pw9FnzRwStVKBX3FWoGqaCxtTzkzM_vXn2utPncfIyL7v38Pb39ggaycVs7h83LSuS0_4Otx2f0cPnnXw6RTyxSxSDbQwX0OQglt-4oush9XyknHY2A7xG3-BQAbOl80n0rcMTExHwdT3eH1nYX7D_vZcJW4iFAd1GUAgaKqw/s16000/4.png', 'url': 'https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 8350766800150925637}}, {'name': 'widgets', 'data': [{'title': 'InverseCos (Header)', 'type': 'Header', 'sectionId': 'header', 'id': 'Header1'}, {'title': '', 'type': 'FeaturedPost', 'sectionId': 'page_body', 'id': 'FeaturedPost1', 'postId': '1518348308346098679'}, {'title': 'Blog Posts', 'type': 'Blog', 'sectionId': 'page_body', 'id': 'Blog1', 'posts': [{'id': '8350766800150925637', 'title': 'Detecting Linux Anti-Forensics Log Tampering', 'featuredImage': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9_nLzfqraZb2qdaZP3pw9FnzRwStVKBX3FWoGqaCxtTzkzM_vXn2utPncfIyL7v38Pb39ggaycVs7h83LSuS0_4Otx2f0cPnnXw6RTyxSxSDbQwX0OQglt-4oush9XyknHY2A7xG3-BQAbOl80n0rcMTExHwdT3eH1nYX7D_vZcJW4iFAd1GUAgaKqw/s16000/4.png', 'showInlineAds': true}], 'headerByline': {'regionName': 'header1', 'items': [{'name': 'share', 'label': ''}, {'name': 'timestamp', 'label': ''}]}, 'footerBylines': [{'regionName': 'footer1', 'items': [{'name': 'comments', 'label': 'comments'}, {'name': 'icons', 'label': ''}]}, {'regionName': 'footer2', 'items': [{'name': 'labels', 'label': ''}]}, {'regionName': 'footer3', 'items': [{'name': 'location', 'label': 'Location:'}]}], 'allBylineItems': [{'name': 'share', 'label': ''}, {'name': 'timestamp', 'label': ''}, {'name': 'comments', 'label': 'comments'}, {'name': 'icons', 'label': ''}, {'name': 'labels', 'label': ''}, {'name': 'location', 'label': 'Location:'}]}, {'title': '', 'type': 'PopularPosts', 'sectionId': 'page_body', 'id': 'PopularPosts1', 'posts': [{'title': 'Forensic Analysis of AnyDesk Logs', 'id': 6551567769865931588}, {'title': 'How to Reverse Engineer and Patch an iOS Application for Beginners: Part I', 'id': 1748855509887329403}, {'title': 'How to Investigate Insider Threats (Forensic Methodology)', 'id': 5168612600414618031}]}, {'type': 'Attribution', 'sectionId': 'footer', 'id': 'Attribution1'}, {'title': '', 'type': 'ReportAbuse', 'sectionId': 'footer', 'id': 'ReportAbuse1'}, {'title': 'About Me', 'type': 'Profile', 'sectionId': 'sidebar_bottom', 'id': 'Profile2'}, {'title': 'Lina Lau', 'type': 'Text', 'sectionId': 'sidebar_bottom', 'id': 'Text1'}, {'title': 'MY BOOK', 'type': 'LinkList', 'sectionId': 'sidebar_bottom', 'id': 'LinkList2'}, {'title': 'SOCIAL', 'type': 'LinkList', 'sectionId': 'sidebar_bottom', 'id': 'LinkList1'}, {'title': 'Search', 'type': 'BlogSearch', 'sectionId': 'sidebar_bottom', 'id': 'BlogSearch2'}, {'title': 'Blog Archive', 'type': 'BlogArchive', 'sectionId': 'sidebar_bottom', 'id': 'BlogArchive1'}]}]);
_WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'header', document.getElementById('Header1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_FeaturedPostView', new _WidgetInfo('FeaturedPost1', 'page_body', document.getElementById('FeaturedPost1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'page_body', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/681485561-lbx__en_gb.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/3523451998-lightbox_bundle.css'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_PopularPostsView', new _WidgetInfo('PopularPosts1', 'page_body', document.getElementById('PopularPosts1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_AttributionView', new _WidgetInfo('Attribution1', 'footer', document.getElementById('Attribution1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_ReportAbuseView', new _WidgetInfo('ReportAbuse1', 'footer', document.getElementById('ReportAbuse1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_ProfileView', new _WidgetInfo('Profile2', 'sidebar_bottom', document.getElementById('Profile2'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_TextView', new _WidgetInfo('Text1', 'sidebar_bottom', document.getElementById('Text1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList2', 'sidebar_bottom', document.getElementById('LinkList2'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList1', 'sidebar_bottom', document.getElementById('LinkList1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogSearchView', new _WidgetInfo('BlogSearch2', 'sidebar_bottom', document.getElementById('BlogSearch2'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogArchiveView', new _WidgetInfo('BlogArchive1', 'sidebar_bottom', document.getElementById('BlogArchive1'), {'languageDirection': 'ltr', 'loadingMessage': 'Loading\x26hellip;'}, 'displayModeFull'));
</script>
</body>
</html>